diff --git a/EncryptWithMasterKey.c b/EncryptWithMasterKey.c deleted file mode 100644 index 30f09f9..0000000 --- a/EncryptWithMasterKey.c +++ /dev/null @@ -1,215 +0,0 @@ -#include -#include -#include -#include -#include - -#define krb5_kdb_decode_int16(cp, i16) \ - *((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \ - ((krb5_int16) ((unsigned char) (cp)[1]) << 8)) -#define encode_int16(i16, cp) \ - { \ - (cp)[0] = (unsigned char) ((i16) & 0xff); \ - (cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \ - } - -krb5_error_code -krb5_db_fetch_mkey(krb5_context context, - krb5_enctype etype, - char *keyfile, - krb5_keyblock * key) -{ - krb5_error_code retval; - - /* from somewhere else */ - krb5_ui_2 enctype; - FILE *kf; - - retval = 0; - key->magic = KV5M_KEYBLOCK; - - if (!(kf = fopen(keyfile, "r"))) - return KRB5_KDB_CANTREAD_STORED; - if (fread((krb5_pointer) &enctype, 2, 1, kf) != 1) { - retval = KRB5_KDB_CANTREAD_STORED; - goto errout; - } - if (key->enctype == ENCTYPE_UNKNOWN) - key->enctype = enctype; - else if (enctype != key->enctype) { - retval = KRB5_KDB_BADSTORED_MKEY; - goto errout; - } - if (fread((krb5_pointer) &key->length, - sizeof(key->length), 1, kf) != 1) { - retval = KRB5_KDB_CANTREAD_STORED; - goto errout; - } - if (!key->length || ((int) key->length) < 0) { - retval = KRB5_KDB_BADSTORED_MKEY; - goto errout; - } - - if (!(key->contents = (krb5_octet *)malloc(key->length))) { - retval = ENOMEM; - goto errout; - } - if (fread((krb5_pointer) key->contents, - sizeof(key->contents[0]), key->length, kf) - != key->length) { - retval = KRB5_KDB_CANTREAD_STORED; - memset(key->contents, 0, key->length); - free(key->contents); - key->contents = 0; - } else - retval = 0; - -errout: - (void) fclose(kf); - return retval; -} - - -static int -read_octet_string(char *str, krb5_octet *buf, size_t len) -{ - int c; - int i, retval; - char *s; - - s = str; - - retval = 0; - for (i=0; i 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL)) - -int main(int argc, char *argv[]) -{ - krb5_context context; - krb5_error_code retval; - krb5_keyblock master_keyblock; - krb5_data plain; - krb5_enc_data cipher; - size_t plainlen = 0; - size_t enclen = 0; - char *koptarg; - char *stashfile = NULL; - char *data = NULL; - int i = 0; - - master_keyblock.enctype = ENCTYPE_DES3_CBC_SHA1; - - argv++; argc--; - while (*argv) { - if (strcmp(*argv, "-sf") == 0 && ARG_VAL) { - stashfile = koptarg; - } else if (strcmp(*argv, "-d") == 0 && ARG_VAL) { - data = koptarg; - } else if (strcmp(*argv, "-e") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &master_keyblock.enctype)) - { - com_err(argv[0], 0, "%s is an invalid enctype", koptarg); - usage(); - } - } else { - usage(); - } - argv++; argc--; - } - - if (data == NULL || stashfile == NULL) - usage(); - - - retval = krb5_init_context(&context); - if( retval ) - { - com_err(argv[0], retval, "while initializing krb5_context"); - exit(1); - } - - retval = krb5_db_fetch_mkey(context, - master_keyblock.enctype, - stashfile, - &master_keyblock); - if( retval ) - { - com_err(argv[0], retval, "while fetching master key"); - exit(1); - } - - plainlen = strlen(data)/2; - - plain.data = (char *) malloc(plainlen); - plain.length = plainlen; - - read_octet_string(data, (krb5_octet*)plain.data, plainlen); - - retval = krb5_c_encrypt_length(context, - master_keyblock.enctype, - plain.length, &enclen); - if( retval ) - { - com_err(argv[0], retval, "while calculating cipher data length"); - exit(1); - } - - cipher.ciphertext.data = (char *) malloc(enclen); - cipher.ciphertext.length = enclen; - - retval = krb5_c_encrypt(context, &master_keyblock, /* XXX */ 0, 0, - &plain, &cipher); - if( retval ) - { - com_err(argv[0], retval, "while encrypting data"); - exit(1); - } - - /* first print out the length of the decrypted hash */ - - char l[2]; - encode_int16((unsigned int)plainlen, l); - printf("%02x%02x", l[0], l[1]); - - /* now print the encrypted key */ - for(i = 0; i < cipher.ciphertext.length; ++i) - { - printf("%02x",(unsigned char)cipher.ciphertext.data[i]); - } - printf("\n"); - - return 0; -} - diff --git a/Makefile.kadm5 b/Makefile.kadm5 deleted file mode 100644 index 8d26677..0000000 --- a/Makefile.kadm5 +++ /dev/null @@ -1,23 +0,0 @@ -.SUFFIXES: .tex .dvi .ps - -all: - latex adb-unit-test.tex - latex api-funcspec.tex - latex api-server-design.tex - latex api-unit-test.tex - dvips adb-unit-test.dvi -o adb-unit-test.ps - dvips api-funcspec.dvi -o api-funcspec.ps - dvips api-server-design.dvi -o api-server-design.ps - dvips api-unit-test.dvi -o api-unit-test.ps - latex2html -dir ../html/adb-unit-test -mkdir adb-unit-test.tex - latex2html -dir ../html/api-funcspec -mkdir api-funcspec.tex - latex2html -dir ../html/api-server-design -mkdir api-server-design.tex - latex2html -dir ../html/api-unit-test -mkdir api-unit-test.tex - - -clean: - rm -f *.toc *.log *.idx *.ind *.aux *.ilg - -really-clean: clean - rm -f *.dvi *.ps - diff --git a/baselibs.conf b/baselibs.conf deleted file mode 100644 index 30cb51a..0000000 --- a/baselibs.conf +++ /dev/null @@ -1,4 +0,0 @@ -krb5 - obsoletes "heimdal-lib-" - provides "heimdal-lib-" -krb5-devel diff --git a/gssapi_improve_errormessages.dif b/gssapi_improve_errormessages.dif deleted file mode 100644 index ec1ffb2..0000000 --- a/gssapi_improve_errormessages.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: krb5-1.6.3/src/lib/gssapi/generic/disp_com_err_status.c -=================================================================== ---- krb5-1.6.3.orig/src/lib/gssapi/generic/disp_com_err_status.c -+++ krb5-1.6.3/src/lib/gssapi/generic/disp_com_err_status.c -@@ -56,7 +56,7 @@ g_display_com_err_status(minor_status, s - (void) gssint_initialize_library(); - - if (! g_make_string_buffer(((status_value == 0)?no_error: -- error_message(status_value)), -+ error_message((int)status_value)), - status_string)) { - *minor_status = ENOMEM; - return(GSS_S_FAILURE); diff --git a/kprop-use-mkstemp.dif b/kprop-use-mkstemp.dif deleted file mode 100644 index 893c3ab..0000000 --- a/kprop-use-mkstemp.dif +++ /dev/null @@ -1,26 +0,0 @@ ---- src/slave/kprop.c -+++ src/slave/kprop.c 2006/06/21 12:38:34 -@@ -215,6 +215,7 @@ - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; - - /* - * Figure out what tickets we'll be using to send stuff -@@ -240,7 +241,15 @@ - /* - * Initialize cache file which we're going to be using - */ -+#ifdef HAVE_MKSTEMP -+ ret = mkstemp(tkstring); -+ if (ret == -1) { -+ com_err(progname, errno, "while initialize cache file"); -+ exit(1); -+ } else close(ret); -+#else - (void) mktemp(tkstring); -+#endif - sprintf(buf, "FILE:%s", tkstring); - - retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.3.3-rcp-markus.dif b/krb5-1.3.3-rcp-markus.dif deleted file mode 100644 index c52a6ec..0000000 --- a/krb5-1.3.3-rcp-markus.dif +++ /dev/null @@ -1,50 +0,0 @@ -Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp. - -Index: krb5-1.6.3/src/appl/bsd/krcp.c -=================================================================== ---- krb5-1.6.3.orig/src/appl/bsd/krcp.c -+++ krb5-1.6.3/src/appl/bsd/krcp.c -@@ -1096,6 +1096,10 @@ void sink(argc, argv) - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); -+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ error("error: unexpected filename: %s", cp); -+ exit(1); -+ } - if (targisdir) { - if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf)) - SCREWUP("target name too long"); -@@ -1109,6 +1113,8 @@ void sink(argc, argv) - nambuf[sizeof(nambuf) - 1] = '\0'; - exists = stat(nambuf, &stb) == 0; - if (cmdbuf[0] == 'D') { -+ if (!iamrecursive) -+ SCREWUP("received directory without -r"); - if (exists) { - if ((stb.st_mode&S_IFMT) != S_IFDIR) { - errno = ENOTDIR; -Index: krb5-1.6.3/src/appl/bsd/v4rcp.c -=================================================================== ---- krb5-1.6.3.orig/src/appl/bsd/v4rcp.c -+++ krb5-1.6.3/src/appl/bsd/v4rcp.c -@@ -807,6 +807,10 @@ void sink(argc, argv) - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); -+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ error("error: unexpected filename: %s", cp); -+ exit(1); -+ } - if (targisdir) { - if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) { - (void) sprintf(nambuf, "%s%s%s", targ, -@@ -823,6 +827,8 @@ void sink(argc, argv) - nambuf[sizeof(nambuf)-1] = '\0'; - exists = stat(nambuf, &stb) == 0; - if (cmdbuf[0] == 'D') { -+ if (!iamrecursive) -+ SCREWUP("received directory without -r"); - if (exists) { - if ((stb.st_mode&S_IFMT) != S_IFDIR) { - errno = ENOTDIR; diff --git a/krb5-1.4-fix-segfault.dif b/krb5-1.4-fix-segfault.dif deleted file mode 100644 index 61c3491..0000000 --- a/krb5-1.4-fix-segfault.dif +++ /dev/null @@ -1,28 +0,0 @@ -Index: src/lib/krb5/krb/princ_comp.c -=================================================================== ---- src/lib/krb5/krb/princ_comp.c.orig -+++ src/lib/krb5/krb/princ_comp.c -@@ -33,6 +33,13 @@ - krb5_boolean KRB5_CALLCONV - krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - { -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ -+ if ((krb5_princ_realm(context, princ1) == NULL) || -+ (krb5_princ_realm(context, princ2) == NULL)) -+ return FALSE; -+ - if (krb5_princ_realm(context, princ1)->length != - krb5_princ_realm(context, princ2)->length || - memcmp (krb5_princ_realm(context, princ1)->data, -@@ -49,6 +56,9 @@ krb5_principal_compare(krb5_context cont - register int i; - krb5_int32 nelem; - -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ - nelem = krb5_princ_size(context, princ1); - if (nelem != krb5_princ_size(context, princ2)) - return FALSE; diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif index 7acd9f5..94f66a4 100644 --- a/krb5-1.4.3-enospc.dif +++ b/krb5-1.4.3-enospc.dif @@ -1,21 +1,13 @@ If the error message is going to be ambiguous, try to give the user some clue by returning the last error reported by the OS. -Index: krb5-1.6.3/src/clients/kinit/kinit.c +Index: trunk/src/clients/kinit/kinit.c =================================================================== ---- krb5-1.6.3.orig/src/clients/kinit/kinit.c -+++ krb5-1.6.3/src/clients/kinit/kinit.c -@@ -35,6 +35,7 @@ - #else - #undef HAVE_KRB524 - #endif -+#include - #include - #include - #include -@@ -921,8 +922,14 @@ k5_kinit(opts, k5) - - code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); +--- trunk.orig/src/clients/kinit/kinit.c ++++ trunk/src/clients/kinit/kinit.c +@@ -658,8 +658,14 @@ k5_kinit(opts, k5) + code = krb5_cc_initialize(k5->ctx, k5->cc, + opts->canonicalize ? my_creds.client : k5->me); if (code) { - com_err(progname, code, "when initializing cache %s", - opts->k5_cache_name?opts->k5_cache_name:""); diff --git a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif index c6e1357..ad5f8c9 100644 --- a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif +++ b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif @@ -2,7 +2,7 @@ Index: src/appl/gssftp/ftp/ftp.c =================================================================== --- src/appl/gssftp/ftp/ftp.c.orig +++ src/appl/gssftp/ftp/ftp.c -@@ -1986,7 +1986,7 @@ int do_auth() +@@ -1912,7 +1912,7 @@ int do_auth() #ifdef GSSAPI if (command("AUTH %s", "GSSAPI") == CONTINUE) { diff --git a/krb5-1.5.1-fix-strncat-warning.dif b/krb5-1.5.1-fix-strncat-warning.dif deleted file mode 100644 index 9f1ba82..0000000 --- a/krb5-1.5.1-fix-strncat-warning.dif +++ /dev/null @@ -1,20 +0,0 @@ ---- src/lib/krb4/g_cnffile.c -+++ src/lib/krb4/g_cnffile.c 2006/10/30 11:12:26 -@@ -68,7 +68,7 @@ - &full_name); - if (retval == 0 && full_name && full_name[0]) { - retname[0] = '\0'; -- strncat(retname, full_name[0], sizeof(retname)); -+ strncat(retname, full_name[0], sizeof(retname)-strlen(retname)-1); - for (cpp = full_name; *cpp; cpp++) - krb5_xfree(*cpp); - krb5_xfree(full_name); -@@ -76,7 +76,7 @@ - } - } - retname[0] = '\0'; -- strncat(retname, default_srvtabname, sizeof(retname)); -+ strncat(retname, default_srvtabname, sizeof(retname)-strlen(retname)-1); - return retname; - } - diff --git a/krb5-1.5.1-fix-too-few-arguments.dif b/krb5-1.5.1-fix-too-few-arguments.dif deleted file mode 100644 index 32691a3..0000000 --- a/krb5-1.5.1-fix-too-few-arguments.dif +++ /dev/null @@ -1,22 +0,0 @@ -Index: src/kadmin/dbutil/dump.c -=================================================================== ---- src/kadmin/dbutil/dump.c.orig -+++ src/kadmin/dbutil/dump.c -@@ -2028,7 +2028,7 @@ process_k5beta7_record(fname, kcontext, - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, verbose, -- linenop); -+ linenop, NULL); - else { - fprintf(stderr, "unknown record type \"%s\" on line %d\n", - rectype, *linenop); -@@ -2064,7 +2064,7 @@ process_ov_record(fname, kcontext, filep - linenop); - else if (strcmp(rectype, "policy") == 0) - process_k5beta7_policy(fname, kcontext, filep, verbose, -- linenop); -+ linenop, NULL); - else if (strcmp(rectype, "End") == 0) - return -1; - else { diff --git a/krb5-1.6-MITKRB5-SA-2008-001.dif b/krb5-1.6-MITKRB5-SA-2008-001.dif deleted file mode 100644 index a26c178..0000000 --- a/krb5-1.6-MITKRB5-SA-2008-001.dif +++ /dev/null @@ -1,336 +0,0 @@ -Index: krb5-1.6.2/src/kdc/dispatch.c -=================================================================== ---- krb5-1.6.2.orig/src/kdc/dispatch.c -+++ krb5-1.6.2/src/kdc/dispatch.c -@@ -1,7 +1,7 @@ - /* - * kdc/dispatch.c - * -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -107,7 +107,7 @@ dispatch(krb5_data *pkt, const krb5_full - retval = KRB5KRB_AP_ERR_MSG_TYPE; - #ifndef NOCACHE - /* put the response into the lookaside buffer */ -- if (!retval) -+ if (!retval && *response != NULL) - kdc_insert_lookaside(pkt, *response); - #endif - -Index: krb5-1.6.2/src/kdc/kerberos_v4.c -=================================================================== ---- krb5-1.6.2.orig/src/kdc/kerberos_v4.c -+++ krb5-1.6.2/src/kdc/kerberos_v4.c -@@ -1,7 +1,7 @@ - /* - * kdc/kerberos_v4.c - * -- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute -+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * -@@ -87,11 +87,6 @@ extern int krbONE; - #define MSB_FIRST 0 /* 68000, IBM RT/PC */ - #define LSB_FIRST 1 /* Vax, PC8086 */ - --int f; -- --/* XXX several files in libkdb know about this */ --char *progname; -- - #ifndef BACKWARD_COMPAT - static Key_schedule master_key_schedule; - static C_Block master_key; -@@ -143,10 +138,8 @@ static void hang(void); - #include "com_err.h" - #include "extern.h" /* to pick up master_princ */ - --static krb5_data *response; -- --void kerberos_v4 (struct sockaddr_in *, KTEXT); --void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); -+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); - static int set_tgtkey (char *, krb5_kvno, krb5_boolean); - - /* Attributes converted from V5 to V4 - internal representation */ -@@ -262,12 +255,12 @@ process_v4(const krb5_data *pkt, const k - (void) klog(L_KRB_PERR, "V4 request too long."); - return KRB5KRB_ERR_FIELD_TOOLONG; - } -+ memset( &v4_pkt, 0, sizeof(v4_pkt)); - v4_pkt.length = pkt->length; - v4_pkt.mbz = 0; - memcpy( v4_pkt.dat, pkt->data, pkt->length); - -- kerberos_v4( &client_sockaddr, &v4_pkt); -- *resp = response; -+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); - return(retval); - } - -@@ -300,19 +293,20 @@ char * v4_klog( int type, const char *fo - } - - static --int krb4_sendto(int s, const char *msg, int len, int flags, -- const struct sockaddr *to, int to_len) -+krb5_data *make_response(const char *msg, int len) - { -+ krb5_data *response; -+ - if ( !(response = (krb5_data *) malloc( sizeof *response))) { -- return ENOMEM; -+ return 0; - } - if ( !(response->data = (char *) malloc( len))) { - krb5_free_data(kdc_context, response); -- return ENOMEM; -+ return 0; - } - response->length = len; - memcpy( response->data, msg, len); -- return( 0); -+ return response; - } - static void - hang(void) -@@ -586,7 +580,7 @@ static void str_length_check(char *str, - *cp = 0; - } - --void -+static krb5_data * - kerberos_v4(struct sockaddr_in *client, KTEXT pkt) - { - static KTEXT_ST rpkt_st; -@@ -599,7 +593,7 @@ kerberos_v4(struct sockaddr_in *client, - KTEXT auth = &auth_st; - AUTH_DAT ad_st; - AUTH_DAT *ad = &ad_st; -- -+ krb5_data *response = 0; - - static struct in_addr client_host; - static int msg_byte_order; -@@ -637,8 +631,7 @@ kerberos_v4(struct sockaddr_in *client, - inet_ntoa(client_host)); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - - /* check packet version */ -@@ -648,8 +641,7 @@ kerberos_v4(struct sockaddr_in *client, - KRB_PROT_VERSION, req_version, 0); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - msg_byte_order = req_msg_type & 1; - -@@ -707,10 +699,10 @@ kerberos_v4(struct sockaddr_in *client, - - if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, - &a_name_data, &k5key, 0, &ck5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_low = a_name_data.key_high = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* don't use k5key for client */ - krb5_free_keyblock_contents(kdc_context, &k5key); -@@ -722,11 +714,11 @@ kerberos_v4(struct sockaddr_in *client, - /* this does all the checking */ - if ((i = check_princ(service, instance, lifetime, - &s_name_data, &k5key, 1, &sk5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_high = a_name_data.key_low = 0; - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); -@@ -797,8 +789,7 @@ kerberos_v4(struct sockaddr_in *client, - rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, - req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, - a_name_data.key_version, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&a_name_data, 0, sizeof(a_name_data)); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; -@@ -824,9 +815,8 @@ kerberos_v4(struct sockaddr_in *client, - lt = klog(L_KRB_PERR, - "APPL request with realm length too long from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "realm length too long"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "realm length too long"); - } - - auth->length += (int) *(pkt->dat + auth->length) + -@@ -835,9 +825,8 @@ kerberos_v4(struct sockaddr_in *client, - lt = klog(L_KRB_PERR, - "APPL request with funky tkt or req_id length from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "funky tkt or req_id length"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "funky tkt or req_id length"); - } - - memcpy(auth->dat, pkt->dat, auth->length); -@@ -848,18 +837,16 @@ kerberos_v4(struct sockaddr_in *client, - if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { - lt = klog(L_ERR_UNK, - "Cross realm ticket from %s denied by policy,", tktrlm); -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - if (set_tgtkey(tktrlm, kvno, 0)) { -- lt = klog(L_ERR_UNK, -+ lt = klog(L_ERR_UNK, - "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -869,9 +856,8 @@ kerberos_v4(struct sockaddr_in *client, - "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -881,8 +867,7 @@ kerberos_v4(struct sockaddr_in *client, - klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", - inet_ntoa(client_host), krb_get_err_text(kerno)); - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); -- return; -+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - } - ptr = (char *) pkt->dat + auth->length; - -@@ -904,22 +889,21 @@ kerberos_v4(struct sockaddr_in *client, - req_realm_ptr = ad->prealm; - - if (strcmp(ad->prealm, tktrlm)) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't hop realms"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't hop realms"); - } - if (!strcmp(service, "changepw")) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't authorize password changed based on TGT"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't authorize password changed based on TGT"); - } - kerno = check_princ(service, instance, req_life, - &s_name_data, &k5key, 1, &sk5life); - if (kerno) { -- kerb_err_reply(client, pkt, kerno, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, kerno, -+ "check_princ failed"); - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); -@@ -975,8 +959,7 @@ kerberos_v4(struct sockaddr_in *client, - rpkt = create_auth_reply(ad->pname, ad->pinst, - ad->prealm, time_ws, - 0, 0, 0, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; - } -@@ -1001,6 +984,7 @@ kerberos_v4(struct sockaddr_in *client, - break; - } - } -+ return response; - } - - -@@ -1010,7 +994,7 @@ kerberos_v4(struct sockaddr_in *client, - * client. - */ - --void -+static krb5_data * - kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) - { - static KTEXT_ST e_pkt_st; -@@ -1021,9 +1005,7 @@ kerb_err_reply(struct sockaddr_in *clien - strncat(e_msg, string, sizeof(e_msg) - 1 - 19); - cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, - req_time_ws, err, e_msg); -- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -- -+ return make_response((char *) e_pkt->dat, e_pkt->length); - } - - static int -Index: krb5-1.6.2/src/kdc/network.c -=================================================================== ---- krb5-1.6.2.orig/src/kdc/network.c -+++ krb5-1.6.2/src/kdc/network.c -@@ -1,7 +1,7 @@ - /* - * kdc/network.c - * -- * Copyright 1990,2000 by the Massachusetts Institute of Technology. -+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -747,6 +747,8 @@ static void process_packet(struct connec - com_err(prog, retval, "while dispatching (udp)"); - return; - } -+ if (response == NULL) -+ return; - cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len); - if (cc == -1) { diff --git a/krb5-1.6-MITKRB5-SA-2008-002.dif b/krb5-1.6-MITKRB5-SA-2008-002.dif deleted file mode 100644 index 1d62388..0000000 --- a/krb5-1.6-MITKRB5-SA-2008-002.dif +++ /dev/null @@ -1,76 +0,0 @@ -=== src/lib/rpc/svc.c -================================================================== -Index: src/lib/rpc/svc.c -=================================================================== ---- src/lib/rpc/svc.c.orig -+++ src/lib/rpc/svc.c -@@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt) - if (sock < FD_SETSIZE) { - xports[sock] = xprt; - FD_SET(sock, &svc_fdset); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #else - if (sock < NOFILE) { - xports[sock] = xprt; - svc_fds |= (1 << sock); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #endif /* def FD_SETSIZE */ -- if (sock > svc_maxfd) -- svc_maxfd = sock; - } - - /* -Index: src/lib/rpc/svc_tcp.c -=================================================================== ---- src/lib/rpc/svc_tcp.c.orig -+++ src/lib/rpc/svc_tcp.c -@@ -53,6 +53,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1. - extern errno; - */ - -+#ifndef FD_SETSIZE -+#ifdef NBBY -+#define NOFILE (sizeof(int) * NBBY) -+#else -+#define NOFILE (sizeof(int) * 8) -+#endif -+#endif -+ - /* - * Ops vector for TCP/IP based rpc service handle - */ -@@ -213,6 +221,19 @@ makefd_xprt( - register SVCXPRT *xprt; - register struct tcp_conn *cd; - -+#ifdef FD_SETSIZE -+ if (fd >= FD_SETSIZE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#else -+ if (fd >= NOFILE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#endif - xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); - if (xprt == (SVCXPRT *)NULL) { - (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); -@@ -268,6 +289,10 @@ rendezvous_request( - * make a new transporter (re-uses xprt) - */ - xprt = makefd_xprt(sock, r->sendsize, r->recvsize); -+ if (xprt == NULL) { -+ close(sock); -+ return (FALSE); -+ } - xprt->xp_raddr = addr; - xprt->xp_addrlen = len; - xprt->xp_laddr = laddr; diff --git a/krb5-1.6-fix-CVE-2007-5894.dif b/krb5-1.6-fix-CVE-2007-5894.dif deleted file mode 100644 index c35e3c0..0000000 --- a/krb5-1.6-fix-CVE-2007-5894.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: src/appl/gssftp/ftpd/ftpd.c -=================================================================== ---- src/appl/gssftp/ftpd/ftpd.c.orig -+++ src/appl/gssftp/ftpd/ftpd.c -@@ -1823,7 +1823,7 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5) - * radix_encode, gss_seal, plus slop. - */ - char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2]; -- int length, kerror; -+ int length = 0, kerror; - if (n) sprintf(in, "%d%c", n, cont_char); - else in[0] = '\0'; - strncat(in, buf, sizeof (in) - strlen(in) - 1); diff --git a/krb5-1.6-fix-CVE-2007-5902.dif b/krb5-1.6-fix-CVE-2007-5902.dif deleted file mode 100644 index 2766cdd..0000000 --- a/krb5-1.6-fix-CVE-2007-5902.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: src/lib/rpc/svc_auth_gss.c -=================================================================== ---- src/lib/rpc/svc_auth_gss.c.orig -+++ src/lib/rpc/svc_auth_gss.c -@@ -671,7 +671,7 @@ svcauth_gss_get_principal(SVCAUTH *auth) - - gd = SVCAUTH_PRIVATE(auth); - -- if (gd->cname.length == 0) -+ if (gd->cname.length == 0 || gd->cname.length >= SIZE_MAX) - return (NULL); - - if ((pname = malloc(gd->cname.length + 1)) == NULL) diff --git a/krb5-1.6-fix-CVE-2007-5971.dif b/krb5-1.6-fix-CVE-2007-5971.dif deleted file mode 100644 index 10b3370..0000000 --- a/krb5-1.6-fix-CVE-2007-5971.dif +++ /dev/null @@ -1,25 +0,0 @@ -Index: src/lib/gssapi/krb5/k5sealv3.c -=================================================================== ---- src/lib/gssapi/krb5/k5sealv3.c.orig -+++ src/lib/gssapi/krb5/k5sealv3.c -@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con - plain.data = 0; - if (err) { - zap(outbuf,bufsize); -- free(outbuf); - goto error; - } - if (sum.length != ctx->cksum_size) -Index: src/lib/gssapi/mechglue/g_initialize.c -=================================================================== ---- src/lib/gssapi/mechglue/g_initialize.c.orig -+++ src/lib/gssapi/mechglue/g_initialize.c -@@ -208,7 +208,7 @@ gss_OID_set *mechSet; - free((*mechSet)->elements[j].elements); - } - free((*mechSet)->elements); -- free(mechSet); -+ free(*mechSet); - *mechSet = NULL; - return (GSS_S_FAILURE); - } diff --git a/krb5-1.6-fix-CVE-2007-5972.dif b/krb5-1.6-fix-CVE-2007-5972.dif deleted file mode 100644 index 3eb8a44..0000000 --- a/krb5-1.6-fix-CVE-2007-5972.dif +++ /dev/null @@ -1,14 +0,0 @@ -Index: src/lib/kdb/kdb_default.c -=================================================================== ---- src/lib/kdb/kdb_default.c.orig -+++ src/lib/kdb/kdb_default.c -@@ -185,8 +185,7 @@ krb5_def_store_mkey(context, keyfile, mn - kf) != key->length)) { - retval = errno; - (void) fclose(kf); -- } -- if (fclose(kf) == EOF) -+ } else if (fclose(kf) == EOF) - retval = errno; - #if HAVE_UMASK - (void) umask(oumask); diff --git a/krb5-1.6-ldap-man.dif b/krb5-1.6-ldap-man.dif deleted file mode 100644 index 33dcc65..0000000 --- a/krb5-1.6-ldap-man.dif +++ /dev/null @@ -1,22 +0,0 @@ -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M (revision 19507) -+++ src/config-files/krb5.conf.M (working copy) -@@ -600,7 +600,7 @@ - objects used for starting the Kerberos servers. This value is used if no - service password file is mentioned in the configuration section under dbmodules. - --.IP ldap_server -+.IP ldap_servers - This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers - is whitespace-separated. The LDAP server is specified by a LDAP URI. - This value is used if no LDAP servers are mentioned in the configuration -@@ -641,7 +641,7 @@ - This LDAP specific tag indicates the file containing the stashed passwords for the - objects used for starting the Kerberos servers. - --.IP ldap_server -+.IP ldap_servers - This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers - is whitespace-separated. The LDAP server is specified by a LDAP URI. - diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif index 2d77233..8a0d66f 100644 --- a/krb5-1.6.1-compile_pie.dif +++ b/krb5-1.6.1-compile_pie.dif @@ -2,7 +2,7 @@ Index: src/krb5-config.in =================================================================== --- src/krb5-config.in.orig +++ src/krb5-config.in -@@ -186,6 +186,8 @@ if test -n "$do_libs"; then +@@ -188,6 +188,8 @@ if test -n "$do_libs"; then -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` @@ -15,13 +15,13 @@ Index: src/config/shlib.conf =================================================================== --- src/config/shlib.conf.orig +++ src/config/shlib.conf -@@ -378,7 +378,8 @@ mips-*-netbsd*) - SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' +@@ -420,7 +420,8 @@ mips-*-netbsd*) PROFFLAGS=-pg RPATH_FLAG='-Wl,-rpath -Wl,' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) -pie $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' + PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' +- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' ++ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)' ++ INSTALL_SHLIB='${INSTALL} -m755' CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ' - + CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' + CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' diff --git a/krb5-1.6.1-init-salt-length.dif b/krb5-1.6.1-init-salt-length.dif deleted file mode 100644 index fdfbf7f..0000000 --- a/krb5-1.6.1-init-salt-length.dif +++ /dev/null @@ -1,14 +0,0 @@ -Index: src/lib/krb5/asn.1/ldap_key_seq.c -=================================================================== ---- src/lib/krb5/asn.1/ldap_key_seq.c.orig -+++ src/lib/krb5/asn.1/ldap_key_seq.c -@@ -341,7 +341,8 @@ static asn1_error_code asn1_decode_key(a - if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */ - ret = decode_tagged_octetstring (&slt, 1, &keylen, - &key->key_data_contents[1]); checkerr; -- } -+ } else -+ keylen = 0; - safe_syncbuf (&subbuf, &slt); - key->key_data_length[1] = keylen; /* XXX range check?? */ - diff --git a/krb5-1.6.3-case-insensitive.dif b/krb5-1.6.3-case-insensitive.dif deleted file mode 100644 index 9e0478a..0000000 --- a/krb5-1.6.3-case-insensitive.dif +++ /dev/null @@ -1,111 +0,0 @@ -Index: src/include/k5-int.h -=================================================================== ---- src/include/k5-int.h.orig -+++ src/include/k5-int.h -@@ -1253,6 +1253,11 @@ struct _krb5_context { - - #define KRB5_LIBOPT_SYNC_KDCTIME 0x0001 - -+#ifdef __CI_PRINC__ -+#define KRB5_LIBOPT_CASE_INSENSITIVE 0x0002 -+#define KRB5_LIBOPT_RD_REQ_TRY_HOST_SPN 0x0004 -+#endif -+ - /* internal message representations */ - - typedef struct _krb5_safe { -Index: src/lib/krb5/krb/init_ctx.c -=================================================================== ---- src/lib/krb5/krb/init_ctx.c.orig -+++ src/lib/krb5/krb/init_ctx.c -@@ -222,6 +222,16 @@ init_common (krb5_context *context, krb5 - &tmp); - ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0; - -+#ifdef __CI_PRINC__ -+#define DEFAULT_CASE_SENSITIVE 1 -+ profile_get_boolean(ctx->profile, "libdefaults", -+ "case_sensitive", 0, DEFAULT_CASE_SENSITIVE, -+ &tmp); -+ if (tmp == 0) -+ ctx->library_options |= KRB5_LIBOPT_CASE_INSENSITIVE; -+ -+#endif /* __CI_PRINC__ */ -+ - /* - * We use a default file credentials cache of 3. See - * lib/krb5/krb/ccache/file/fcc.h for a description of the -Index: src/lib/krb5/krb/princ_comp.c -=================================================================== ---- src/lib/krb5/krb/princ_comp.c.orig -+++ src/lib/krb5/krb/princ_comp.c -@@ -33,13 +33,35 @@ - krb5_boolean KRB5_CALLCONV - krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - { -+ krb5_boolean ret; -+ - if ((princ1 == NULL) || (princ2 == NULL)) - return FALSE; - - if ((krb5_princ_realm(context, princ1) == NULL) || - (krb5_princ_realm(context, princ2) == NULL)) - return FALSE; -+#ifdef __CI_PRINC__ -+ /* XXX this needs to be Unicode-aware */ -+ -+ if (krb5_princ_realm(context, princ1)->length != -+ krb5_princ_realm(context, princ2)->length) { -+ /* NB this test won't be necessarily correct for UTF-8 */ -+ return FALSE; -+ } -+ -+ if (context->library_options & KRB5_LIBOPT_CASE_INSENSITIVE) { -+ ret = (strncasecmp (krb5_princ_realm(context, princ1)->data, -+ krb5_princ_realm(context, princ2)->data, -+ krb5_princ_realm(context, princ2)->length) == 0); -+ } else { -+ ret = (memcmp (krb5_princ_realm(context, princ1)->data, -+ krb5_princ_realm(context, princ2)->data, -+ krb5_princ_realm(context, princ2)->length) == 0); -+ } - -+ return ret; -+#else - if (krb5_princ_realm(context, princ1)->length != - krb5_princ_realm(context, princ2)->length || - memcmp (krb5_princ_realm(context, princ1)->data, -@@ -48,6 +70,7 @@ krb5_realm_compare(krb5_context context, - return FALSE; - - return TRUE; -+#endif /* __CI_PRINC__ */ - } - - krb5_boolean KRB5_CALLCONV -@@ -69,9 +92,25 @@ krb5_principal_compare(krb5_context cont - for (i = 0; i < (int) nelem; i++) { - register const krb5_data *p1 = krb5_princ_component(context, princ1, i); - register const krb5_data *p2 = krb5_princ_component(context, princ2, i); -+#ifdef __CI_PRINC__ -+ /* XXX this needs to be Unicode-aware */ -+ krb5_boolean ret; -+ -+ if (p1->length != p2->length) -+ return FALSE; -+ -+ if (context->library_options & KRB5_LIBOPT_CASE_INSENSITIVE) -+ ret = (strncasecmp(p1->data, p2->data, p1->length) == 0); -+ else -+ ret = (memcmp(p1->data, p2->data, p1->length) == 0); -+ -+ if (ret == FALSE) -+ return ret; -+#else - if (p1->length != p2->length || - memcmp(p1->data, p2->data, p1->length)) - return FALSE; -+#endif /* __CI_PRINC__ */ - } - return TRUE; - } diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif index f31fbdd..4220f2e 100644 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ b/krb5-1.6.3-fix-ipv6-query.dif @@ -1,7 +1,7 @@ -Index: krb5-1.6.3/src/lib/krb5/os/hostaddr.c +Index: trunk/src/lib/krb5/os/hostaddr.c =================================================================== ---- krb5-1.6.3.orig/src/lib/krb5/os/hostaddr.c -+++ krb5-1.6.3/src/lib/krb5/os/hostaddr.c +--- trunk.orig/src/lib/krb5/os/hostaddr.c ++++ trunk/src/lib/krb5/os/hostaddr.c @@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c return KRB5_ERR_BAD_HOSTNAME; @@ -11,11 +11,11 @@ Index: krb5-1.6.3/src/lib/krb5/os/hostaddr.c /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: krb5-1.6.3/src/lib/krb5/os/hst_realm.c +Index: trunk/src/lib/krb5/os/hst_realm.c =================================================================== ---- krb5-1.6.3.orig/src/lib/krb5/os/hst_realm.c -+++ krb5-1.6.3/src/lib/krb5/os/hst_realm.c -@@ -167,7 +167,7 @@ krb5int_get_fq_hostname (char *buf, size +--- trunk.orig/src/lib/krb5/os/hst_realm.c ++++ trunk/src/lib/krb5/os/hst_realm.c +@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size int err; memset (&hints, 0, sizeof (hints)); @@ -24,10 +24,10 @@ Index: krb5-1.6.3/src/lib/krb5/os/hst_realm.c err = getaddrinfo (name, 0, &hints, &ai); if (err) return krb5int_translate_gai_error (err); -Index: krb5-1.6.3/src/lib/krb5/os/locate_kdc.c +Index: trunk/src/lib/krb5/os/locate_kdc.c =================================================================== ---- krb5-1.6.3.orig/src/lib/krb5/os/locate_kdc.c -+++ krb5-1.6.3/src/lib/krb5/os/locate_kdc.c +--- trunk.orig/src/lib/krb5/os/locate_kdc.c ++++ trunk/src/lib/krb5/os/locate_kdc.c @@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; @@ -37,17 +37,18 @@ Index: krb5-1.6.3/src/lib/krb5/os/locate_kdc.c - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif - sprintf(portbuf, "%d", ntohs(port)); - sprintf(secportbuf, "%d", ntohs(secport)); -Index: krb5-1.6.3/src/lib/krb5/os/sn2princ.c + if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) + /* XXX */ +Index: trunk/src/lib/krb5/os/sn2princ.c =================================================================== ---- krb5-1.6.3.orig/src/lib/krb5/os/sn2princ.c -+++ krb5-1.6.3/src/lib/krb5/os/sn2princ.c -@@ -107,6 +107,7 @@ krb5_sname_to_principal(krb5_context con +--- trunk.orig/src/lib/krb5/os/sn2princ.c ++++ trunk/src/lib/krb5/os/sn2princ.c +@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET; -+ hints.ai_flags = AI_ADDRCONFIG; +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; try_getaddrinfo_again: err = getaddrinfo(hostname, 0, &hints, &ai); if (err) { diff --git a/krb5-1.6.3-gssapi_improve_errormessages.dif b/krb5-1.6.3-gssapi_improve_errormessages.dif new file mode 100644 index 0000000..c37d29f --- /dev/null +++ b/krb5-1.6.3-gssapi_improve_errormessages.dif @@ -0,0 +1,13 @@ +Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c +=================================================================== +--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c ++++ trunk/src/lib/gssapi/generic/disp_com_err_status.c +@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s + status_string->value = NULL; + + if (! g_make_string_buffer(((status_value == 0)?no_error: +- error_message(status_value)), ++ error_message((long)status_value)), + status_string)) { + *minor_status = ENOMEM; + return(GSS_S_FAILURE); diff --git a/krb5-trunk-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch similarity index 87% rename from krb5-trunk-kpasswd_tcp.patch rename to krb5-1.6.3-kpasswd_tcp.patch index 47c6df8..757b3f6 100644 --- a/krb5-trunk-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -3,9 +3,9 @@ to wait for UDP to fail, so this might not be ideal. RT #5868. Index: src/lib/krb5/os/changepw.c =================================================================== ---- src/lib/krb5/os/changepw.c (revision 20199) -+++ src/lib/krb5/os/changepw.c (working copy) -@@ -251,11 +251,22 @@ +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co NULL, NULL ))) { diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif new file mode 100644 index 0000000..2277883 --- /dev/null +++ b/krb5-1.6.3-kprop-use-mkstemp.dif @@ -0,0 +1,28 @@ +Index: src/slave/kprop.c +=================================================================== +--- src/slave/kprop.c.orig ++++ src/slave/kprop.c +@@ -215,6 +215,7 @@ void get_tickets(context) + krb5_error_code retval; + static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; ++ int ret = 0; + + /* + * Figure out what tickets we'll be using to send stuff +@@ -240,7 +241,15 @@ void get_tickets(context) + /* + * Initialize cache file which we're going to be using + */ ++#ifdef HAVE_MKSTEMP ++ ret = mkstemp(tkstring); ++ if (ret == -1) { ++ com_err(progname, errno, "while initialize cache file"); ++ exit(1); ++ } else close(ret); ++#else + (void) mktemp(tkstring); ++#endif + snprintf(buf, sizeof(buf), "FILE:%s", tkstring); + + retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.6.3-post.dif b/krb5-1.6.3-post.dif deleted file mode 100644 index da018c7..0000000 --- a/krb5-1.6.3-post.dif +++ /dev/null @@ -1,3056 +0,0 @@ -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c -@@ -303,6 +303,11 @@ int main(argc, argv) - krb5_boolean realm_name_required = TRUE; - krb5_boolean print_help_message = FALSE; - -+ /* -+ * Ensure that "progname" is set before calling com_err. -+ */ -+ progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); -+ - retval = krb5_init_context(&util_context); - set_com_err_hook(extended_com_err_fn); - if (retval) { -@@ -311,8 +316,6 @@ int main(argc, argv) - goto cleanup; - } - -- progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); -- - cmd_argv = (char **) malloc(sizeof(char *)*argc); - if (cmd_argv == NULL) { - com_err(progname, ENOMEM, "while creating sub-command arguments"); -@@ -344,7 +347,7 @@ int main(argc, argv) - } - } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) -- com_err(argv[0], 0, "%s is an invalid enctype", koptarg); -+ com_err(progname, 0, "%s is an invalid enctype", koptarg); - else - global_params.mask |= KADM5_CONFIG_ENCTYPE; - } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { -@@ -466,7 +469,7 @@ int main(argc, argv) - retval = kadm5_get_config_params(util_context, 1, - &global_params, &global_params); - if (retval) { -- com_err(argv[0], retval, "while retreiving configuration parameters"); -+ com_err(progname, retval, "while retreiving configuration parameters"); - exit_status++; - goto cleanup; - } -@@ -474,7 +477,7 @@ int main(argc, argv) - } - - if ((retval = krb5_ldap_lib_init()) != 0) { -- com_err(argv[0], retval, "while initializing error handling"); -+ com_err(progname, retval, "while initializing error handling"); - exit_status++; - goto cleanup; - } -@@ -482,7 +485,7 @@ int main(argc, argv) - /* Initialize the ldap context */ - ldap_context = calloc(sizeof(krb5_ldap_context), 1); - if (ldap_context == NULL) { -- com_err(argv[0], ENOMEM, "while initializing ldap handle"); -+ com_err(progname, ENOMEM, "while initializing ldap handle"); - exit_status++; - goto cleanup; - } -@@ -495,7 +498,7 @@ int main(argc, argv) - if (passwd == NULL) { - passwd = (char *)malloc(MAX_PASSWD_LEN); - if (passwd == NULL) { -- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); -+ com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } -@@ -503,7 +506,7 @@ int main(argc, argv) - if (prompt == NULL) { - free(passwd); - passwd = NULL; -- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); -+ com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } -@@ -514,7 +517,7 @@ int main(argc, argv) - db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); - - if ((db_retval) || (passwd_len == 0)) { -- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); -+ com_err(progname, ENOMEM, "while retrieving ldap configuration"); - free(passwd); - passwd = NULL; - exit_status++; -@@ -530,14 +533,14 @@ int main(argc, argv) - - ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; - if (ldap_context->server_info_list == NULL) { -- com_err(argv[0], ENOMEM, "while initializing server list"); -+ com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } - - ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); - if (ldap_context->server_info_list[0] == NULL) { -- com_err(argv[0], ENOMEM, "while initializing server list"); -+ com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } -@@ -546,7 +549,7 @@ int main(argc, argv) - - ldap_context->server_info_list[0]->server_name = strdup(ldap_server); - if (ldap_context->server_info_list[0]->server_name == NULL) { -- com_err(argv[0], ENOMEM, "while initializing server list"); -+ com_err(progname, ENOMEM, "while initializing server list"); - exit_status++; - goto cleanup; - } -@@ -554,7 +557,7 @@ int main(argc, argv) - if (bind_dn) { - ldap_context->bind_dn = strdup(bind_dn); - if (ldap_context->bind_dn == NULL) { -- com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); -+ com_err(progname, ENOMEM, "while retrieving ldap configuration"); - exit_status++; - goto cleanup; - } -@@ -566,7 +569,7 @@ int main(argc, argv) - if (realm_name_required) { - if ((global_params.enctype != ENCTYPE_UNKNOWN) && - (!krb5_c_valid_enctype(global_params.enctype))) { -- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, -+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", global_params.enctype); - } - } -@@ -583,7 +586,7 @@ int main(argc, argv) - - db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); - if (db_retval) { -- com_err(argv[0], db_retval, "while reading ldap configuration"); -+ com_err(progname, db_retval, "while reading ldap configuration"); - exit_status++; - goto cleanup; - } -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c -@@ -67,7 +67,7 @@ static krb5_error_code init_ldap_realm ( - retval = krb5_ldap_read_krbcontainer_params (util_context, - &(ldap_context->krbcontainer)); - if (retval != 0) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; - } - } -@@ -95,7 +95,7 @@ kdb5_ldap_create_policy(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_policy_params *policyparams = NULL; - krb5_boolean print_usage = FALSE; -@@ -322,7 +322,7 @@ kdb5_ldap_destroy_policy(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_policy_params *policyparams = NULL; - krb5_boolean print_usage = FALSE; -@@ -426,7 +426,7 @@ kdb5_ldap_modify_policy(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_policy_params *policyparams = NULL; - krb5_boolean print_usage = FALSE; -@@ -683,7 +683,7 @@ kdb5_ldap_view_policy(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_ldap_policy_params *policyparams = NULL; - krb5_error_code retval = 0; - krb5_boolean print_usage = FALSE; -@@ -804,7 +804,7 @@ void kdb5_ldap_list_policies(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_boolean print_usage = FALSE; - char *basedn = NULL; -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c -@@ -152,7 +152,7 @@ static int get_ticket_policy(rparams,i,a - krb5_boolean no_msg = FALSE; - - krb5_boolean print_usage = FALSE; -- char *me = argv[0]; -+ char *me = progname; - - time(&now); - if (!strcmp(argv[*i], "-maxtktlife")) { -@@ -364,7 +364,7 @@ void kdb5_ldap_create(argc, argv) - rparams->subtree = list; - } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ -- com_err(argv[0], EINVAL, -+ com_err(progname, EINVAL, - "for subtree while creating realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -376,7 +376,7 @@ void kdb5_ldap_create(argc, argv) - goto err_usage; - if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ -- com_err(argv[0], EINVAL, -+ com_err(progname, EINVAL, - "for container reference while creating realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -401,7 +401,7 @@ void kdb5_ldap_create(argc, argv) - rparams->search_scope = atoi(argv[i]); - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { -- com_err(argv[0], EINVAL, -+ com_err(progname, EINVAL, - "invalid search scope while creating realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -498,7 +498,7 @@ void kdb5_ldap_create(argc, argv) - retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); - if (retval) { -- com_err(argv[0], retval, "while reading master key from keyboard"); -+ com_err(progname, retval, "while reading master key from keyboard"); - goto err_nomsg; - } - mkey_password = pw_str; -@@ -516,7 +516,7 @@ void kdb5_ldap_create(argc, argv) - rparams->realm_name = strdup(global_params.realm); - if (rparams->realm_name == NULL) { - retval = ENOMEM; -- com_err(argv[0], ENOMEM, "while creating realm '%s'", -+ com_err(progname, ENOMEM, "while creating realm '%s'", - global_params.realm); - goto err_nomsg; - } -@@ -588,11 +588,11 @@ void kdb5_ldap_create(argc, argv) - retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)); - if (retval) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; - } - } else if (retval) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - goto cleanup; - } - -@@ -608,7 +608,7 @@ void kdb5_ldap_create(argc, argv) - global_params.realm, - &(ldap_context->lrparams), - &mask))) { -- com_err(argv[0], retval, "while reading information of realm '%s'", -+ com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - goto err_nomsg; - } -@@ -623,7 +623,7 @@ void kdb5_ldap_create(argc, argv) - global_params.mkey_name, - global_params.realm, - 0, &master_princ))) { -- com_err(argv[0], retval, "while setting up master key name"); -+ com_err(progname, retval, "while setting up master key name"); - goto err_nomsg; - } - -@@ -635,7 +635,7 @@ void kdb5_ldap_create(argc, argv) - pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &master_salt); - if (retval) { -- com_err(argv[0], retval, "while calculating master key salt"); -+ com_err(progname, retval, "while calculating master key salt"); - goto err_nomsg; - } - -@@ -646,7 +646,7 @@ void kdb5_ldap_create(argc, argv) - free(master_salt.data); - - if (retval) { -- com_err(argv[0], retval, "while transforming master key from password"); -+ com_err(progname, retval, "while transforming master key from password"); - goto err_nomsg; - } - -@@ -689,28 +689,28 @@ void kdb5_ldap_create(argc, argv) - /* Create 'K/M' ... */ - rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; - if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'krbtgt' ... */ - rblock.flags = 0; /* reset the flags */ - if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - - /* Create 'kadmin/admin' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = ADMIN_LIFETIME; - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); -@@ -718,7 +718,7 @@ void kdb5_ldap_create(argc, argv) - /* Create 'kadmin/changepw' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = CHANGEPW_LIFETIME; -@@ -726,7 +726,7 @@ void kdb5_ldap_create(argc, argv) - KRB5_KDB_PWCHANGE_SERVICE; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); -@@ -734,26 +734,26 @@ void kdb5_ldap_create(argc, argv) - /* Create 'kadmin/history' ... */ - snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); - if ((retval = krb5_parse_name(util_context, princ_name, &p))) { -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - rblock.max_life = global_params.max_life; - rblock.flags = 0; - if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, p); - - /* Create 'kadmin/' ... */ - if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { -- com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); -+ com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); - goto err_nomsg; - } - - if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { -- com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); -+ com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); - goto err_nomsg; - } - -@@ -762,7 +762,7 @@ void kdb5_ldap_create(argc, argv) - temp_p->realm.length = strlen(util_context->default_realm); - temp_p->realm.data = strdup(util_context->default_realm); - if (temp_p->realm.data == NULL) { -- com_err(argv[0], ENOMEM, "while adding entries to the database"); -+ com_err(progname, ENOMEM, "while adding entries to the database"); - goto err_nomsg; - } - -@@ -770,7 +770,7 @@ void kdb5_ldap_create(argc, argv) - rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; - if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { - krb5_free_principal(util_context, p); -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - goto err_nomsg; - } - krb5_free_principal(util_context, temp_p); -@@ -798,7 +798,7 @@ void kdb5_ldap_create(argc, argv) - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -814,7 +814,7 @@ void kdb5_ldap_create(argc, argv) - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -830,7 +830,7 @@ void kdb5_ldap_create(argc, argv) - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -850,7 +850,7 @@ void kdb5_ldap_create(argc, argv) - master_princ, - &master_keyblock, NULL); - if (retval) { -- com_err(argv[0], errno, "while storing key"); -+ com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); - } - } -@@ -879,7 +879,7 @@ cleanup: - - if (retval) { - if (!no_msg) { -- com_err(argv[0], retval, "while creating realm '%s'", -+ com_err(progname, retval, "while creating realm '%s'", - global_params.realm); - } - exit_status++; -@@ -932,7 +932,7 @@ void kdb5_ldap_modify(argc, argv) - - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer)))) { -- com_err(argv[0], retval, "while reading Kerberos container information"); -+ com_err(progname, retval, "while reading Kerberos container information"); - goto err_nomsg; - } - -@@ -986,7 +986,7 @@ void kdb5_ldap_modify(argc, argv) - rparams->subtree = slist; - } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow subtree value to be set at the root(NULL, "") of the tree */ -- com_err(argv[0], EINVAL, -+ com_err(progname, EINVAL, - "for subtree while modifying realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -998,7 +998,7 @@ void kdb5_ldap_modify(argc, argv) - goto err_usage; - if(strncmp(argv[i], "", strlen(argv[i]))==0) { - /* dont allow containerref value to be set at the root(NULL, "") of the tree */ -- com_err(argv[0], EINVAL, -+ com_err(progname, EINVAL, - "for container reference while modifying realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -1024,7 +1024,7 @@ void kdb5_ldap_modify(argc, argv) - if ((rparams->search_scope != 1) && - (rparams->search_scope != 2)) { - retval = EINVAL; -- com_err(argv[0], retval, -+ com_err(progname, retval, - "specified for search scope while modifying information of realm '%s'", - global_params.realm); - goto err_nomsg; -@@ -1529,7 +1529,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_KDC_SERVICE, oldkdcdns[i], - rparams->realm_name, oldsubtrees, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights '%s'", -+ com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1546,7 +1546,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name, - rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1608,7 +1608,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_ADMIN_SERVICE, oldadmindns[i], - rparams->realm_name, oldsubtrees, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights '%s'", -+ com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1626,7 +1626,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_ADMIN_SERVICE, newadmindns[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1688,7 +1688,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_PASSWD_SERVICE, oldpwddns[i], - rparams->realm_name, oldsubtrees, rightsmask))) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights '%s'", -+ com_err(progname, retval, "while assigning rights '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1705,7 +1705,7 @@ void kdb5_ldap_modify(argc, argv) - LDAP_PASSWD_SERVICE, newpwddns[i], - rparams->realm_name, rparams->subtree, rightsmask))) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - goto err_nomsg; - } -@@ -1777,7 +1777,7 @@ cleanup: - - if (retval) { - if (!no_msg) -- com_err(argv[0], retval, "while modifying information of realm '%s'", -+ com_err(progname, retval, "while modifying information of realm '%s'", - global_params.realm); - exit_status++; - } -@@ -1804,7 +1804,7 @@ void kdb5_ldap_view(argc, argv) - ldap_context = (krb5_ldap_context *) dal_handle->db_context; - if (!(ldap_context)) { - retval = EINVAL; -- com_err(argv[0], retval, "while initializing database"); -+ com_err(progname, retval, "while initializing database"); - exit_status++; - return; - } -@@ -1812,14 +1812,14 @@ void kdb5_ldap_view(argc, argv) - /* Read the kerberos container information */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; - } - - if ((retval = krb5_ldap_read_realm_params(util_context, - global_params.realm, &rparams, &mask)) || (!rparams)) { -- com_err(argv[0], retval, "while reading information of realm '%s'", -+ com_err(progname, retval, "while reading information of realm '%s'", - global_params.realm); - exit_status++; - return; -@@ -2009,7 +2009,7 @@ void kdb5_ldap_list(argc, argv) - /* Read the kerberos container information */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; - } -@@ -2018,7 +2018,7 @@ void kdb5_ldap_list(argc, argv) - if (retval != 0) { - krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); - ldap_context->krbcontainer = NULL; -- com_err (argv[0], retval, "while listing realms"); -+ com_err (progname, retval, "while listing realms"); - exit_status++; - return; - } -@@ -2434,7 +2434,7 @@ kdb5_ldap_destroy(argc, argv) - dal_handle = (kdb5_dal_handle *)util_context->db_context; - ldap_context = (krb5_ldap_context *) dal_handle->db_context; - if (!(ldap_context)) { -- com_err(argv[0], EINVAL, "while initializing database"); -+ com_err(progname, EINVAL, "while initializing database"); - exit_status++; - return; - } -@@ -2442,7 +2442,7 @@ kdb5_ldap_destroy(argc, argv) - /* Read the kerberos container from the LDAP Server */ - if ((retval = krb5_ldap_read_krbcontainer_params(util_context, - &(ldap_context->krbcontainer))) != 0) { -- com_err(argv[0], retval, "while reading kerberos container information"); -+ com_err(progname, retval, "while reading kerberos container information"); - exit_status++; - return; - } -@@ -2450,7 +2450,7 @@ kdb5_ldap_destroy(argc, argv) - /* Read the Realm information from the LDAP Server */ - if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, - &(ldap_context->lrparams), &mask)) != 0) { -- com_err(argv[0], retval, "while reading realm information"); -+ com_err(progname, retval, "while reading realm information"); - exit_status++; - return; - } -@@ -2472,7 +2472,7 @@ kdb5_ldap_destroy(argc, argv) - LDAP_KDC_SERVICE, rparams->kdcservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } -@@ -2487,7 +2487,7 @@ kdb5_ldap_destroy(argc, argv) - LDAP_ADMIN_SERVICE, rparams->adminservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } -@@ -2502,7 +2502,7 @@ kdb5_ldap_destroy(argc, argv) - LDAP_PASSWD_SERVICE, rparams->passwdservers[i], - rparams->realm_name, rparams->subtree, rightsmask)) != 0) { - printf("failed\n"); -- com_err(argv[0], retval, "while assigning rights to '%s'", -+ com_err(progname, retval, "while assigning rights to '%s'", - rparams->realm_name); - return; - } -@@ -2514,7 +2514,7 @@ kdb5_ldap_destroy(argc, argv) - /* Delete the realm container and all the associated principals */ - retval = krb5_ldap_delete_realm(util_context, global_params.realm); - if (retval) { -- com_err(argv[0], retval, "deleting database of '%s'", global_params.realm); -+ com_err(progname, retval, "deleting database of '%s'", global_params.realm); - exit_status++; - return; - } -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h -@@ -58,6 +58,8 @@ - #define DESTROY_POLICY 14 - #define LIST_POLICY 15 - -+extern char *progname; -+ - extern int exit_status; - extern krb5_context util_context; - -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c -@@ -198,7 +198,7 @@ void kdb5_ldap_create_service(argc, argv - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_service_params *srvparams = NULL; - krb5_boolean print_usage = FALSE; -@@ -496,7 +496,7 @@ void kdb5_ldap_modify_service(argc, argv - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - krb5_ldap_service_params *srvparams = NULL; - krb5_boolean print_usage = FALSE; -@@ -569,7 +569,7 @@ void kdb5_ldap_modify_service(argc, argv - - retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); - if (retval) { -- com_err(argv[0], retval, "while reading information of service '%s'", -+ com_err(me, retval, "while reading information of service '%s'", - servicedn); - goto err_nomsg; - } -@@ -1061,7 +1061,7 @@ rem_service_entry_from_file(argc, argv, - char *service_object; - { - int st = EINVAL; -- char *me = argv[0]; -+ char *me = progname; - char *tmp_file = NULL; - int tmpfd = -1; - FILE *pfile = NULL; -@@ -1175,7 +1175,7 @@ kdb5_ldap_destroy_service(argc, argv) - if (argv[i+1]) { - stashfilename=strdup(argv[i+1]); - if (stashfilename == NULL) { -- com_err(argv[0], ENOMEM, "while destroying service"); -+ com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } -@@ -1188,7 +1188,7 @@ kdb5_ldap_destroy_service(argc, argv) - if ((argv[i]) && (servicedn == NULL)) { - servicedn=strdup(argv[i]); - if (servicedn == NULL) { -- com_err(argv[0], ENOMEM, "while destroying service"); -+ com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } -@@ -1219,7 +1219,7 @@ kdb5_ldap_destroy_service(argc, argv) - - if ((retval = krb5_ldap_read_service(util_context, servicedn, - &lserparams, &mask))) { -- com_err(argv[0], retval, "while destroying service '%s'",servicedn); -+ com_err(progname, retval, "while destroying service '%s'",servicedn); - exit_status++; - goto cleanup; - } -@@ -1227,7 +1227,7 @@ kdb5_ldap_destroy_service(argc, argv) - retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); - - if (retval) { -- com_err(argv[0], retval, "while destroying service '%s'", servicedn); -+ com_err(progname, retval, "while destroying service '%s'", servicedn); - exit_status++; - goto cleanup; - } -@@ -1235,7 +1235,7 @@ kdb5_ldap_destroy_service(argc, argv) - if (stashfilename == NULL) { - stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); - if (stashfilename == NULL) { -- com_err(argv[0], ENOMEM, "while destroying service"); -+ com_err(progname, ENOMEM, "while destroying service"); - exit_status++; - goto cleanup; - } -@@ -1295,13 +1295,13 @@ void kdb5_ldap_view_service(argc, argv) - - servicedn=strdup(argv[1]); - if (servicedn == NULL) { -- com_err(argv[0], ENOMEM, "while viewing service"); -+ com_err(progname, ENOMEM, "while viewing service"); - exit_status++; - goto cleanup; - } - - if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { -- com_err(argv[0], retval, "while viewing service '%s'",servicedn); -+ com_err(progname, retval, "while viewing service '%s'",servicedn); - exit_status++; - goto cleanup; - } -@@ -1338,7 +1338,7 @@ void kdb5_ldap_list_services(argc, argv) - int argc; - char *argv[]; - { -- char *me = argv[0]; -+ char *me = progname; - krb5_error_code retval = 0; - char *basedn = NULL; - char **list = NULL; -@@ -1519,7 +1519,7 @@ kdb5_ldap_set_service_password(argc, arg - krb5_ldap_context *lparams = NULL; - char *file_name = NULL; - char *tmp_file = NULL; -- char *me = argv[0]; -+ char *me = progname; - int filelen = 0; - int random_passwd = 0; - int set_dir_pwd = 1; -@@ -1902,7 +1902,7 @@ kdb5_ldap_stash_service_password(argc, a - { - int ret = 0; - unsigned int passwd_len = 0; -- char *me = argv[0]; -+ char *me = progname; - char *service_object = NULL; - char *file_name = NULL, *tmp_file = NULL; - char passwd[MAX_SERVICE_PASSWD_LEN]; -Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M -=================================================================== ---- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M.orig -+++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M -@@ -73,7 +73,7 @@ set. This means all the ticket options w - The various flags are: - .TP - {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP --.B -allow_postdated -+.B \-allow_postdated - prohibits principals from obtaining postdated tickets. (Sets the - .SM KRB5_KDB_DISALLOW_POSTDATED - flag.) -@@ -81,7 +81,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP --.B -allow_forwardable -+.B \-allow_forwardable - prohibits principals from obtaining forwardable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_FORWARDABLE - flag.) -@@ -89,7 +89,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP --.B -allow_renewable -+.B \-allow_renewable - prohibits principals from obtaining renewable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_RENEWABLE - flag.) -@@ -97,7 +97,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP --.B -allow_proxiable -+.B \-allow_proxiable - prohibits principals from obtaining proxiable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_PROXIABLE - flag.) -@@ -105,7 +105,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP --.B -allow_dup_skey -+.B \-allow_dup_skey - Disables user-to-user authentication for principals by prohibiting - principals from obtaining a session key for another user. (Sets the - .SM KRB5_KDB_DISALLOW_DUP_SKEY -@@ -119,7 +119,7 @@ requires principals to preauthenticate b - kinit. (Sets the - .SM KRB5_KDB_REQUIRES_PRE_AUTH - flag.) --.B -requires_preauth -+.B \-requires_preauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP -@@ -128,11 +128,11 @@ requires principals to preauthenticate u - before being allowed to kinit. (Sets the - .SM KRB5_KDB_REQUIRES_HW_AUTH - flag.) --.B -requires_hwauth -+.B \-requires_hwauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_svr\fP --.B -allow_svr -+.B \-allow_svr - prohibits the issuance of service tickets for principals. (Sets the - .SM KRB5_KDB_DISALLOW_SVR - flag.) -@@ -208,9 +208,9 @@ Specifies the list of Administration ser - of the Administration service objects separated by colon(:). - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu --create -subtrees o=org -sscope SUB ---r ATHENA.MIT.EDU\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu -+create \-subtrees o=org \-sscope SUB -+\-r ATHENA.MIT.EDU\fP - .nf - Password for "cn=admin,o=org": - Initializing database for realm 'ATHENA.MIT.EDU' -@@ -255,7 +255,7 @@ and no restriction will be set. - The various flags are: - .TP - {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP --.B -allow_postdated -+.B \-allow_postdated - prohibits principals from obtaining postdated tickets. (Sets the - .SM KRB5_KDB_DISALLOW_POSTDATED - flag.) -@@ -263,7 +263,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP --.B -allow_forwardable -+.B \-allow_forwardable - prohibits principals from obtaining forwardable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_FORWARDABLE - flag.) -@@ -271,7 +271,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP --.B -allow_renewable -+.B \-allow_renewable - prohibits principals from obtaining renewable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_RENEWABLE - flag.) -@@ -279,7 +279,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP --.B -allow_proxiable -+.B \-allow_proxiable - prohibits principals from obtaining proxiable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_PROXIABLE - flag.) -@@ -287,7 +287,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP --.B -allow_dup_skey -+.B \-allow_dup_skey - Disables user-to-user authentication for principals by prohibiting - principals from obtaining a session key for another user. (Sets the - .SM KRB5_KDB_DISALLOW_DUP_SKEY -@@ -301,7 +301,7 @@ requires principals to preauthenticate b - kinit. (Sets the - .SM KRB5_KDB_REQUIRES_PRE_AUTH - flag.) --.B -requires_preauth -+.B \-requires_preauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP -@@ -310,11 +310,11 @@ requires principals to preauthenticate u - before being allowed to kinit. (Sets the - .SM KRB5_KDB_REQUIRES_HW_AUTH - flag.) --.B -requires_hwauth -+.B \-requires_hwauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_svr\fP --.B -allow_svr -+.B \-allow_svr - prohibits the issuance of service tickets for principals. (Sets the - .SM KRB5_KDB_DISALLOW_SVR - flag.) -@@ -406,8 +406,8 @@ Specifies the list of Administration ser - contains the DNs of the Administration service objects separated by a colon (:). - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify --+requires_preauth -r ATHENA.MIT.EDU \fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify -++requires_preauth \-r ATHENA.MIT.EDU \fP - .nf - Password for "cn=admin,o=org": - .fi -@@ -423,8 +423,8 @@ Specifies the Kerberos realm of the data - is used. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view ---r ATHENA.MIT.EDU\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view -+\-r ATHENA.MIT.EDU\fP - .nf - Password for "cn=admin,o=org": - Realm Name: ATHENA.MIT.EDU -@@ -450,8 +450,8 @@ Specifies the Kerberos realm of the data - is used. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy ---r ATHENA.MIT.EDU\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy -+\-r ATHENA.MIT.EDU\fP - .nf - Password for "cn=admin,o=org": - Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? -@@ -467,7 +467,7 @@ Lists the name of realms. - .nf - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list\fP - Password for "cn=admin,o=org": - ATHENA.MIT.EDU - OPENLDAP.MIT.EDU -@@ -487,7 +487,7 @@ Specifies the complete path of the servi - Specifies Distinguished name (DN) of the service object whose password is to be stored in file. - .TP - EXAMPLE: --\fBkdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP -+\fBkdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP - .nf - Password for "cn=service-kdc,o=org": - Re-enter password for "cn=service-kdc,o=org": -@@ -517,7 +517,7 @@ set. This means all the ticket options w - The various flags are: - .TP - {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP --.B -allow_postdated -+.B \-allow_postdated - prohibits principals from obtaining postdated tickets. (Sets the - .SM KRB5_KDB_DISALLOW_POSTDATED - flag.) -@@ -525,7 +525,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP --.B -allow_forwardable -+.B \-allow_forwardable - prohibits principals from obtaining forwardable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_FORWARDABLE - flag.) -@@ -533,7 +533,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP --.B -allow_renewable -+.B \-allow_renewable - prohibits principals from obtaining renewable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_RENEWABLE - flag.) -@@ -541,7 +541,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP --.B -allow_proxiable -+.B \-allow_proxiable - prohibits principals from obtaining proxiable tickets. (Sets the - .SM KRB5_KDB_DISALLOW_PROXIABLE - flag.) -@@ -549,7 +549,7 @@ flag.) - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP --.B -allow_dup_skey -+.B \-allow_dup_skey - Disables user-to-user authentication for principals by prohibiting - principals from obtaining a session key for another user. (Sets the - .SM KRB5_KDB_DISALLOW_DUP_SKEY -@@ -563,7 +563,7 @@ requires principals to preauthenticate b - kinit. (Sets the - .SM KRB5_KDB_REQUIRES_PRE_AUTH - flag.) --.B -requires_preauth -+.B \-requires_preauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP -@@ -572,11 +572,11 @@ requires principals to preauthenticate u - before being allowed to kinit. (Sets the - .SM KRB5_KDB_REQUIRES_HW_AUTH - flag.) --.B -requires_hwauth -+.B \-requires_hwauth - clears this flag. - .TP - {\fB\-\fP|\fB+\fP}\fBallow_svr\fP --.B -allow_svr -+.B \-allow_svr - prohibits the issuance of service tickets for principals. (Sets the - .SM KRB5_KDB_DISALLOW_SVR - flag.) -@@ -639,7 +639,7 @@ flag on principals in the database. - Specifies the name of the ticket policy. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy\fP - .nf - Password for "cn=admin,o=org": - .fi -@@ -657,7 +657,7 @@ returned by - is used. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy\fP - .nf - Password for "cn=admin,o=org": - .fi -@@ -671,7 +671,7 @@ Displays the attributes of a ticket poli - Specifies the name of the ticket policy. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy\fP - .nf - Password for "cn=admin,o=org": - Ticket policy: tktpolicy -@@ -700,7 +700,7 @@ to confirm the deletion. - Specifies the name of the ticket policy. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy\fP - .nf - Password for "cn=admin,o=org": - This will delete the policy object 'tktpolicy', are you sure? -@@ -720,7 +720,7 @@ returned by - is used. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list_policy \-r ATHENA.MIT.EDU\fP - .nf - Password for "cn=admin,o=org": - tktpolicy -@@ -735,22 +735,22 @@ userpolicy - \fBsetsrvpw\fP [\fB\-randpw\fP|\fB\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP - Allows an administrator to set password for service objects such as KDC and Administration server in - eDirectory and store them in a file. The --.I -fileonly -+.I \-fileonly - option stores the password in a file and not in the eDirectory object. Options: - .RS - .TP - \fB\-randpw \fP - Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The --.I -fileonly -+.I \-fileonly - option can not be used if --.I -randpw -+.I \-randpw - option is already specified. - .TP - \fB\-fileonly\fP - Stores the password only in a file and not in eDirectory. The --.I -randpw -+.I \-randpw - option can not be used when --.I -fileonly -+.I \-fileonly - options is specified. - .TP - \fB\-f\fP\ \fIfilename\fP -@@ -760,7 +760,7 @@ Specifies complete path of the service p - Specifies Distinguished name (DN) of the service object whose password is to be set. - .TP - EXAMPLE: --\fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile -+\fBkdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile - cn=service-kdc,o=org\fP - .nf - Password for "cn=admin,o=org": -@@ -792,16 +792,16 @@ separated by a colon (:). - .TP - \fB\-randpw \fP - Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. The --.I -fileonly -+.I \-fileonly - option can not be used if --.I -randpw -+.I \-randpw - option is specified. - .TP - \fB\-fileonly\fP - Stores the password only in a file and not in eDirectory. The --.I -randpw -+.I \-randpw - option can not be used when --.I -fileonly -+.I \-fileonly - option is specified. - .TP - \fB\-f\fP\ \fIfilename\fP -@@ -811,7 +811,7 @@ Specifies the complete path of the file - Specifies Distinguished name (DN) of the Kerberos service to be created. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP - .nf - Password for "cn=admin,o=org": - File does not exist. Creating the file /home/andrew/conf_keyfile... -@@ -855,7 +855,7 @@ realms separated by a colon (:). - Specifies Distinguished name (DN) of the Kerberos service to be modified. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU -+\fBkdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU - cn=service-kdc,o=org\fP - .nf - Password for "cn=admin,o=org": -@@ -871,7 +871,7 @@ Displays the attributes of a service. O - Specifies Distinguished name (DN) of the Kerberos service to be viewed. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org view_service cn=service-kdc,o=org\fP - .nf - Password for "cn=admin,o=org": - Service dn: cn=service-kdc,o=org -@@ -897,7 +897,7 @@ needs to be removed. - Specifies Distinguished name (DN) of the Kerberos service to be destroyed. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP - .nf - Password for "cn=admin,o=org": - This will delete the service object 'cn=service-kdc,o=org', are you sure? -@@ -922,7 +922,7 @@ for the base DN is - .B Root. - .TP - EXAMPLE: --\fBkdb5_ldap_util -D cn=admin,o=org list_service\fP -+\fBkdb5_ldap_util \-D cn=admin,o=org list_service\fP - .nf - Password for "cn=admin,o=org": - cn=service-kdc,o=org -Index: src/plugins/kdb/db2/libdb2/test/run.test -=================================================================== ---- src/plugins/kdb/db2/libdb2/test/run.test.orig -+++ src/plugins/kdb/db2/libdb2/test/run.test -@@ -34,7 +34,7 @@ main() - bindir=/bin/. - - if [ $# -eq 0 ]; then -- for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20; do -+ for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20 40 41; do - test$t - done - else -@@ -45,7 +45,7 @@ main() - [0-9]*) - test$1;; - btree) -- for t in 1 2 3 7 8 9 10 12 13; do -+ for t in 1 2 3 7 8 9 10 12 13 40 41; do - test$t - done;; - hash) -@@ -743,4 +743,162 @@ bsize=$bsize ffactor=$ffactor nelem=2500 - done - } - -+# Test for a weird page split condition where an insertion into index -+# 0 of a page that would cause the new item to be the only item on the -+# left page results in index 0 of the right page being erroneously -+# skipped; this only happens with one particular key+data length for -+# each page size. -+test40 () { -+ echo "Test 40: btree: page split on index 0" -+ e=: -+ for psize in 512 1024 2048 4096 8192; do -+ echo " page size $psize" -+ kdsizes=`awk 'BEGIN { -+ psize = '$psize'; hsize = int(psize/2); -+ for (kdsize = hsize-40; kdsize <= hsize; kdsize++) { -+ print kdsize; -+ } -+ }' /dev/null` -+ -+ # Use a series of keylen+datalen values in the right -+ # neighborhood to find the one that triggers the bug. -+ # We could compute the exact size that triggers the -+ # bug but this additional fuzz may be useful. -+ -+ # Insert keys in reverse order to maximize the chances -+ # for a split on index 0. -+ -+ for kdsize in $kdsizes; do -+ awk 'BEGIN { -+ kdsize = '$kdsize'; -+ for (i = 8; i-- > 0; ) { -+ s = sprintf("a%03d:%09d", i, kdsize); -+ for (j = 0; j < kdsize-20; j++) { -+ s = s "x"; -+ } -+ printf("p\nka%03d\nd%s\n", i, s); -+ } -+ print "o"; -+ }' /dev/null > $TMP2 -+ sed -n 's/^d//p' $TMP2 | sort > $TMP1 -+ $PROG -o $TMP3 -i psize=$psize btree $TMP2 -+ if (cmp -s $TMP1 $TMP3); then : -+ else -+ echo "test40: btree: page size $psize, \ -+keylen+datalen=$kdsize failed" -+ e='exit 1' -+ fi -+ done -+ done -+ $e -+} -+ -+# Extremely tricky test attempting to replicate some unusual database -+# corruption seen in the field: pieces of the database becoming -+# inaccessible to random access, sequential access, or both. The -+# hypothesis is that at least some of these are triggered by the bug -+# in page splits on index 0 with a particular exact keylen+datalen. -+# (See Test 40.) For psize=4096, this size is exactly 2024. -+ -+# The order of operations here relies on very specific knowledge of -+# the internals of the btree access method in order to place records -+# at specific offsets in a page and to create certain keys on internal -+# pages. The to-be-split page immediately prior to the bug-triggering -+# split has the following properties: -+# -+# * is not the leftmost leaf page -+# * key on the parent page is compares less than the key of the item -+# on index 0 -+# * triggering record's key also compares greater than the key on the -+# parent page -+ -+# Additionally, we prime the mpool LRU chain so that the head page on -+# the chain has the following properties: -+# -+# * record at index 0 is located where it will not get overwritten by -+# items written to the right-hand page during the split -+# * key of the record at index 0 compares less than the key of the -+# bug-triggering record -+ -+# If the page-split bug exists, this test appears to create a database -+# where some records are inaccessible to a search, but still remain in -+# the file and are accessible by sequential traversal. At least one -+# record gets duplicated out of sequence. -+ -+test41 () { -+ echo "Test 41: btree: no unsearchables due to page split on index 0" -+ # list of individual retrievals in a variable for easy reuse -+ list=`(for i in a b c d; do -+ for j in 990 998 999; do -+ echo g ${i}${j} 1024 -+ done -+ done; -+ echo g y997 2014 -+ for i in y z; do -+ for j in 998 999; do -+ echo g ${i}${j} 1024 -+ done -+ done)` -+ # Exact number for trigger condition accounts for newlines -+ # retained by dbtest with -ofile but not without; we use -+ # -ofile, so count newlines. keylen=5,datalen=5+2014 for -+ # psize=4096 here. -+ (cat - < $TMP2 -+ (echo "$list"; echo "$list") | awk '{ -+ s = $2; -+ for (i = 0; i < $3; i++) { -+ s = s "x"; -+ } -+ print s; -+ }' > $TMP1 -+ $PROG -o $TMP3 -i psize=4096 btree $TMP2 -+ if (cmp -s $TMP1 $TMP3); then : -+ else -+ echo "test41: btree: failed" -+ exit 1 -+ fi -+} -+ - main $* -Index: src/plugins/kdb/db2/libdb2/mpool/mpool.c -=================================================================== ---- src/plugins/kdb/db2/libdb2/mpool/mpool.c.orig -+++ src/plugins/kdb/db2/libdb2/mpool/mpool.c -@@ -377,7 +377,7 @@ mpool_bkt(mp) - head = &mp->hqh[HASHKEY(bp->pgno)]; - CIRCLEQ_REMOVE(head, bp, hq); - CIRCLEQ_REMOVE(&mp->lqh, bp, q); --#ifdef DEBUG -+#if defined(DEBUG) && !defined(DEBUG_IDX0SPLIT) - { void *spage; - spage = bp->page; - memset(bp, 0xff, sizeof(BKT) + mp->pagesize); -Index: src/plugins/kdb/db2/libdb2/btree/bt_debug.c -=================================================================== ---- src/plugins/kdb/db2/libdb2/btree/bt_debug.c.orig -+++ src/plugins/kdb/db2/libdb2/btree/bt_debug.c -@@ -257,7 +257,8 @@ __bt_dpage(dbp, h) - *(db_pgno_t *)bl->bytes, - *(u_int32_t *)(bl->bytes + sizeof(db_pgno_t))); - else if (bl->ksize) -- (void)fprintf(tracefp, "%s/", bl->bytes); -+ (void)fprintf(tracefp, "%.*s/", -+ (int)bl->ksize, bl->bytes); - if (bl->flags & P_BIGDATA) - (void)fprintf(tracefp, - "big data page %lu size %u", -Index: src/plugins/kdb/db2/libdb2/btree/bt_split.c -=================================================================== ---- src/plugins/kdb/db2/libdb2/btree/bt_split.c.orig -+++ src/plugins/kdb/db2/libdb2/btree/bt_split.c -@@ -727,7 +727,7 @@ bt_psplit(t, h, l, r, pskip, ilen) - * the right page. - */ - if (skip <= off) { -- skip = 0; -+ skip = (indx_t)-1; - rval = l; - } else { - rval = r; -@@ -737,7 +737,7 @@ bt_psplit(t, h, l, r, pskip, ilen) - for (off = 0; nxt < top; ++off) { - if (skip == nxt) { - ++off; -- skip = 0; -+ skip = (indx_t)-1; - } - switch (h->flags & P_TYPE) { - case P_BINTERNAL: -Index: src/plugins/preauth/pkinit/configure.in -=================================================================== ---- src/plugins/preauth/pkinit/configure.in.orig -+++ src/plugins/preauth/pkinit/configure.in -@@ -6,8 +6,6 @@ AC_CHECK_HEADERS(unistd.h) - AC_TYPE_MODE_T - AC_TYPE_OFF_T - --AC_CHECK_FUNCS() -- - # XXX This is incorrect, but should cause -lcrypto to be included by default - AC_CHECK_LIB(crypto, PKCS7_get_signer_info) - -Index: src/appl/gssftp/ftp/ftp.M -=================================================================== ---- src/appl/gssftp/ftp/ftp.M.orig -+++ src/appl/gssftp/ftp/ftp.M -@@ -537,7 +537,7 @@ $1.$2 and the remote file name "mydata.d - "mydata", and $2 would have the value "data". The - .I outpattern - determines the resulting mapped filename. The sequences `$1', `$2', --...., `$9' are replaced by any value resulting from the -+\&..., `$9' are replaced by any value resulting from the - .I inpattern - template. The sequence `$0' is replace by the original filename. - Additionally, the sequence `[\fIseq1\fP, \fIseq2\fP]' is replaced by -Index: src/appl/bsd/v4rcp.M -=================================================================== ---- src/appl/bsd/v4rcp.M.orig -+++ src/appl/bsd/v4rcp.M -@@ -1,5 +1,5 @@ - .\" appl/bsd/v4rcp.M --.TH RCP 1 \*h -+.TH V4RCP 1 - .SH NAME - v4rcp \- back end for Kerberos V4 rcp - .SH SYNOPSIS -Index: src/appl/telnet/telnet/telnet.1 -=================================================================== ---- src/appl/telnet/telnet/telnet.1.orig -+++ src/appl/telnet/telnet/telnet.1 -@@ -625,7 +625,7 @@ Sends the - .TP - .B escape - Sends the current --.b telnet -+.B telnet - escape character (initially ``^''. - .TP - .B ga -@@ -761,7 +761,7 @@ character. - If - .B telnet - is in --.b localchars -+.B localchars - mode (see - .B toggle localchars - below), -@@ -1296,9 +1296,9 @@ is omitted, then an interactive subshell - .TP - \fB\&?\fP \fIcommand\fP - Get help. With no arguments, --.b telnet -+.B telnet - prints a help summary. If a command is specified, --.b telnet -+.B telnet - will print the help information for just that command. - .SH ENVIRONMENT - .B Telnet -Index: src/clients/kpasswd/kpasswd.M -=================================================================== ---- src/clients/kpasswd/kpasswd.M.orig -+++ src/clients/kpasswd/kpasswd.M -@@ -21,8 +21,7 @@ - .\" this software for any purpose. It is provided "as is" without express - .\" or implied warranty. - .\" " --.\.so man1/header.doc --.TH KPASSWD 1 \*h -+.TH KPASSWD 1 - .SH NAME - kpasswd \- change a user's Kerberos password - .SH SYNOPSIS -Index: src/gen-manpages/k5login.M -=================================================================== ---- src/gen-manpages/k5login.M.orig -+++ src/gen-manpages/k5login.M -@@ -1,6 +1,6 @@ - .TH .K5LOGIN 5 - .SH NAME --.k5login \- Kerberos V5 acl file for host access. -+\&.k5login \- Kerberos V5 acl file for host access. - .SH DESCRIPTION - The - .B .k5login -Index: src/kadmin/dbutil/kdb5_destroy.c -=================================================================== ---- src/kadmin/dbutil/kdb5_destroy.c.orig -+++ src/kadmin/dbutil/kdb5_destroy.c -@@ -60,19 +60,16 @@ kdb5_destroy(argc, argv) - retval1 = kadm5_init_krb5_context(&context); - if( retval1 ) - { -- com_err(argv[0], retval1, "while initializing krb5_context"); -+ com_err(progname, retval1, "while initializing krb5_context"); - exit(1); - } - - if ((retval1 = krb5_set_default_realm(context, - util_context->default_realm))) { -- com_err(argv[0], retval1, "while setting default realm name"); -+ com_err(progname, retval1, "while setting default realm name"); - exit(1); - } - -- if (strrchr(argv[0], '/')) -- argv[0] = strrchr(argv[0], '/')+1; -- - dbname = global_params.dbname; - - optind = 1; -@@ -102,7 +99,7 @@ kdb5_destroy(argc, argv) - - retval1 = krb5_db_destroy(context, db5util_db_args); - if (retval1) { -- com_err(argv[0], retval1, "deleting database '%s'",dbname); -+ com_err(progname, retval1, "deleting database '%s'",dbname); - exit_status++; return; - } - -Index: src/kadmin/dbutil/dump.c -=================================================================== ---- src/kadmin/dbutil/dump.c.orig -+++ src/kadmin/dbutil/dump.c -@@ -1016,7 +1016,6 @@ dump_db(argc, argv) - { - FILE *f; - struct dump_args arglist; -- char *programname; - char *ofile; - krb5_error_code kret, retval; - dump_version *dump; -@@ -1027,9 +1026,6 @@ dump_db(argc, argv) - /* - * Parse the arguments. - */ -- programname = argv[0]; -- if (strrchr(programname, (int) '/')) -- programname = strrchr(argv[0], (int) '/') + 1; - ofile = (char *) NULL; - dump = &r1_3_version; - arglist.verbose = 0; -@@ -1081,7 +1077,7 @@ dump_db(argc, argv) - * to be opened if we try a dump that uses it. - */ - if (!dbactive) { -- com_err(argv[0], 0, Err_no_database); -+ com_err(progname, 0, Err_no_database); - exit_status++; - return; - } -@@ -1099,7 +1095,7 @@ dump_db(argc, argv) - (char *) NULL, 0, - &master_keyblock); - if (retval) { -- com_err(argv[0], retval, -+ com_err(progname, retval, - "while reading master key"); - exit(1); - } -@@ -1107,7 +1103,7 @@ dump_db(argc, argv) - master_princ, - &master_keyblock); - if (retval) { -- com_err(argv[0], retval, -+ com_err(progname, retval, - "while verifying master key"); - exit(1); - } -@@ -1124,7 +1120,7 @@ dump_db(argc, argv) - TRUE, - new_mkey_file, 0, - &new_master_keyblock))) { -- com_err(argv[0], retval, "while reading new master key"); -+ com_err(progname, retval, "while reading new master key"); - exit(1); - } - } -@@ -1150,7 +1146,7 @@ dump_db(argc, argv) - unlink(ofile); - if (!(f = fopen(ofile, "w"))) { - fprintf(stderr, ofopen_error, -- programname, ofile, error_message(errno)); -+ progname, ofile, error_message(errno)); - exit_status++; - return; - } -@@ -1158,7 +1154,7 @@ dump_db(argc, argv) - fileno(f), - KRB5_LOCKMODE_EXCLUSIVE))) { - fprintf(stderr, oflock_error, -- programname, ofile, error_message(kret)); -+ progname, ofile, error_message(kret)); - exit_status++; - } - else -@@ -1167,7 +1163,7 @@ dump_db(argc, argv) - f = stdout; - } - if (f && !(kret)) { -- arglist.programname = programname; -+ arglist.programname = progname; - arglist.ofile = f; - arglist.kcontext = util_context; - fprintf(arglist.ofile, "%s", dump->header); -@@ -1179,13 +1175,13 @@ dump_db(argc, argv) - dump->dump_princ, - (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ - fprintf(stderr, dumprec_err, -- programname, dump->name, error_message(kret)); -+ progname, dump->name, error_message(kret)); - exit_status++; - } - if (dump->dump_policy && - (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, - &arglist))) { -- fprintf(stderr, dumprec_err, programname, dump->name, -+ fprintf(stderr, dumprec_err, progname, dump->name, - error_message(kret)); - exit_status++; - } -@@ -2126,7 +2122,6 @@ load_db(argc, argv) - FILE *f; - extern char *optarg; - extern int optind; -- char *programname; - char *dumpfile; - char *dbname; - char *dbname_tmp; -@@ -2140,9 +2135,6 @@ load_db(argc, argv) - /* - * Parse the arguments. - */ -- programname = argv[0]; -- if (strrchr(programname, (int) '/')) -- programname = strrchr(argv[0], (int) '/') + 1; - dumpfile = (char *) NULL; - dbname = global_params.dbname; - load = NULL; -@@ -2180,7 +2172,7 @@ load_db(argc, argv) - - if (!(dbname_tmp = (char *) malloc(strlen(dbname)+ - strlen(dump_tmptrail)+1))) { -- fprintf(stderr, no_name_mem_fmt, argv[0]); -+ fprintf(stderr, no_name_mem_fmt, progname); - exit_status++; - return; - } -@@ -2191,7 +2183,7 @@ load_db(argc, argv) - * Initialize the Kerberos context and error tables. - */ - if ((kret = kadm5_init_krb5_context(&kcontext))) { -- fprintf(stderr, ctx_err_fmt, programname); -+ fprintf(stderr, ctx_err_fmt, progname); - free(dbname_tmp); - exit_status++; - return; -@@ -2199,7 +2191,7 @@ load_db(argc, argv) - - if( (kret = krb5_set_default_realm(kcontext, util_context->default_realm)) ) - { -- fprintf(stderr, "%s: Unable to set the default realm\n", programname); -+ fprintf(stderr, "%s: Unable to set the default realm\n", progname); - free(dbname_tmp); - exit_status++; - return; -@@ -2210,14 +2202,14 @@ load_db(argc, argv) - */ - if (dumpfile) { - if ((f = fopen(dumpfile, "r")) == NULL) { -- fprintf(stderr, dfile_err_fmt, programname, dumpfile, -+ fprintf(stderr, dfile_err_fmt, progname, dumpfile, - error_message(errno)); - exit_status++; - return; - } - if ((kret = krb5_lock_file(kcontext, fileno(f), - KRB5_LOCKMODE_SHARED))) { -- fprintf(stderr, "%s: Cannot lock %s: %s\n", programname, -+ fprintf(stderr, "%s: Cannot lock %s: %s\n", progname, - dumpfile, error_message(errno)); - exit_status++; - return; -@@ -2233,7 +2225,7 @@ load_db(argc, argv) - if (load) { - /* only check what we know; some headers only contain a prefix */ - if (strncmp(buf, load->header, strlen(load->header)) != 0) { -- fprintf(stderr, head_bad_fmt, programname, dumpfile); -+ fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; -@@ -2252,7 +2244,7 @@ load_db(argc, argv) - strlen(ov_version.header)) == 0) - load = &ov_version; - else { -- fprintf(stderr, head_bad_fmt, programname, dumpfile); -+ fprintf(stderr, head_bad_fmt, progname, dumpfile); - exit_status++; - if (dumpfile) fclose(f); - return; -@@ -2260,7 +2252,7 @@ load_db(argc, argv) - } - if (load->updateonly && !update) { - fprintf(stderr, "%s: dump version %s can only be loaded with the " -- "-update flag\n", programname, load->name); -+ "-update flag\n", progname, load->name); - exit_status++; - return; - } -@@ -2277,7 +2269,7 @@ load_db(argc, argv) - - if ((kret = kadm5_get_config_params(kcontext, 1, - &newparams, &newparams))) { -- com_err(argv[0], kret, -+ com_err(progname, kret, - "while retreiving new configuration parameters"); - exit_status++; - return; -@@ -2301,11 +2293,11 @@ load_db(argc, argv) - */ - - if (emsg != NULL) { -- fprintf(stderr, "%s: %s\n", programname, emsg); -+ fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - } else { - fprintf(stderr, dbcreaterr_fmt, -- programname, dbname, error_message(kret)); -+ progname, dbname, error_message(kret)); - } - exit_status++; - kadm5_free_config_params(kcontext, &newparams); -@@ -2326,11 +2318,11 @@ load_db(argc, argv) - */ - - if (emsg != NULL) { -- fprintf(stderr, "%s: %s\n", programname, emsg); -+ fprintf(stderr, "%s: %s\n", progname, emsg); - krb5_free_error_message (kcontext, emsg); - } else { - fprintf(stderr, dbinit_err_fmt, -- programname, error_message(kret)); -+ progname, error_message(kret)); - } - exit_status++; - goto error; -@@ -2349,7 +2341,7 @@ load_db(argc, argv) - */ - if (kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, "%s: %s while permanently locking database\n", -- programname, error_message(kret)); -+ progname, error_message(kret)); - exit_status++; - goto error; - } -@@ -2357,10 +2349,10 @@ load_db(argc, argv) - else - db_locked = 1; - -- if (restore_dump(programname, kcontext, (dumpfile) ? dumpfile : stdin_name, -+ if (restore_dump(progname, kcontext, (dumpfile) ? dumpfile : stdin_name, - f, verbose, load)) { - fprintf(stderr, restfail_fmt, -- programname, load->name); -+ progname, load->name); - exit_status++; - } - -@@ -2373,14 +2365,14 @@ load_db(argc, argv) - if (db_locked && (kret = krb5_db_unlock(kcontext))) { - /* change this error? */ - fprintf(stderr, dbunlockerr_fmt, -- programname, dbname, error_message(kret)); -+ progname, dbname, error_message(kret)); - exit_status++; - } - - #if 0 - if ((kret = krb5_db_fini(kcontext))) { - fprintf(stderr, close_err_fmt, -- programname, error_message(kret)); -+ progname, error_message(kret)); - exit_status++; - } - #endif -@@ -2395,7 +2387,7 @@ load_db(argc, argv) - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, "%s: cannot make newly loaded database live (%s)\n", -- programname, error_message(kret)); -+ progname, error_message(kret)); - exit_status++; - } - } -@@ -2416,7 +2408,7 @@ error: - */ - if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { - fprintf(stderr, dbdelerr_fmt, -- programname, dbname, error_message(kret)); -+ progname, dbname, error_message(kret)); - exit_status++; - } - } -Index: src/kadmin/dbutil/kdb5_create.c -=================================================================== ---- src/kadmin/dbutil/kdb5_create.c.orig -+++ src/kadmin/dbutil/kdb5_create.c -@@ -162,9 +162,6 @@ void kdb5_create(argc, argv) - int do_stash = 0; - krb5_data pwd, seed; - -- if (strrchr(argv[0], '/')) -- argv[0] = strrchr(argv[0], '/')+1; -- - while ((optchar = getopt(argc, argv, "s")) != -1) { - switch(optchar) { - case 's': -@@ -193,7 +190,7 @@ void kdb5_create(argc, argv) - printf ("Loading random data\n"); - retval = krb5_c_random_os_entropy (util_context, 1, NULL); - if (retval) { -- com_err (argv[0], retval, "Loading random data"); -+ com_err (progname, retval, "Loading random data"); - exit_status++; return; - } - -@@ -203,7 +200,7 @@ void kdb5_create(argc, argv) - global_params.mkey_name, - global_params.realm, - &mkey_fullname, &master_princ))) { -- com_err(argv[0], retval, "while setting up master key name"); -+ com_err(progname, retval, "while setting up master key name"); - exit_status++; return; - } - -@@ -229,7 +226,7 @@ master key name '%s'\n", - retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, - pw_str, &pw_size); - if (retval) { -- com_err(argv[0], retval, "while reading master key from keyboard"); -+ com_err(progname, retval, "while reading master key from keyboard"); - exit_status++; return; - } - mkey_password = pw_str; -@@ -239,14 +236,14 @@ master key name '%s'\n", - pwd.length = strlen(mkey_password); - retval = krb5_principal2salt(util_context, master_princ, &master_salt); - if (retval) { -- com_err(argv[0], retval, "while calculating master key salt"); -+ com_err(progname, retval, "while calculating master key salt"); - exit_status++; return; - } - - retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, - &pwd, &master_salt, &master_keyblock); - if (retval) { -- com_err(argv[0], retval, "while transforming master key from password"); -+ com_err(progname, retval, "while transforming master key from password"); - exit_status++; return; - } - -@@ -256,28 +253,28 @@ master key name '%s'\n", - seed.data = master_keyblock.contents; - - if ((retval = krb5_c_random_seed(util_context, &seed))) { -- com_err(argv[0], retval, "while initializing random key generator"); -+ com_err(progname, retval, "while initializing random key generator"); - exit_status++; return; - } - if ((retval = krb5_db_create(util_context, - db5util_db_args))) { -- com_err(argv[0], retval, "while creating database '%s'", -+ com_err(progname, retval, "while creating database '%s'", - global_params.dbname); - exit_status++; return; - } - /* if ((retval = krb5_db_fini(util_context))) { */ --/* com_err(argv[0], retval, "while closing current database"); */ -+/* com_err(progname, retval, "while closing current database"); */ - /* exit_status++; return; */ - /* } */ - /* if ((retval = krb5_db_open(util_context, db5util_db_args, KRB5_KDB_OPEN_RW))) { */ --/* com_err(argv[0], retval, "while initializing the database '%s'", */ -+/* com_err(progname, retval, "while initializing the database '%s'", */ - /* global_params.dbname); */ - /* exit_status++; return; */ - /* } */ - if ((retval = add_principal(util_context, master_princ, MASTER_KEY, &rblock)) || - (retval = add_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { - (void) krb5_db_fini(util_context); -- com_err(argv[0], retval, "while adding entries to the database"); -+ com_err(progname, retval, "while adding entries to the database"); - exit_status++; return; - } - /* -@@ -291,7 +288,7 @@ master key name '%s'\n", - &master_keyblock, - mkey_password); - if (retval) { -- com_err(argv[0], errno, "while storing key"); -+ com_err(progname, errno, "while storing key"); - printf("Warning: couldn't stash master key.\n"); - } - /* clean up */ -Index: src/kadmin/dbutil/kdb5_util.c -=================================================================== ---- src/kadmin/dbutil/kdb5_util.c.orig -+++ src/kadmin/dbutil/kdb5_util.c -@@ -186,16 +186,18 @@ int main(argc, argv) - - set_com_err_hook(extended_com_err_fn); - -+ /* -+ * Ensure that "progname" is set before calling com_err. -+ */ -+ progname = (strrchr(argv[0], '/') ? -+ strrchr(argv[0], '/') + 1 : argv[0]); -+ - retval = kadm5_init_krb5_context(&util_context); - if (retval) { - com_err (progname, retval, "while initializing Kerberos code"); - exit(1); - } - --/* initialize_adb_error_table(); */ -- -- progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); -- - cmd_argv = (char **) malloc(sizeof(char *)*argc); - if (cmd_argv == NULL) { - com_err(progname, ENOMEM, "while creating sub-command arguments"); -@@ -245,7 +247,7 @@ int main(argc, argv) - } - } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { - if (krb5_string_to_enctype(koptarg, &global_params.enctype)) -- com_err(argv[0], 0, "%s is an invalid enctype", koptarg); -+ com_err(progname, 0, "%s is an invalid enctype", koptarg); - else - global_params.mask |= KADM5_CONFIG_ENCTYPE; - } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { -@@ -287,7 +289,7 @@ int main(argc, argv) - retval = kadm5_get_config_params(util_context, 1, - &global_params, &global_params); - if (retval) { -- com_err(argv[0], retval, "while retreiving configuration parameters"); -+ com_err(progname, retval, "while retreiving configuration parameters"); - exit(1); - } - -@@ -300,7 +302,7 @@ int main(argc, argv) - master_keyblock.enctype = global_params.enctype; - if ((master_keyblock.enctype != ENCTYPE_UNKNOWN) && - (!krb5_c_valid_enctype(master_keyblock.enctype))) { -- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, -+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", master_keyblock.enctype); - } - -@@ -334,13 +336,13 @@ void set_dbname(argc, argv) - - if (argc < 3) { - com_err(argv[0], 0, "Too few arguments"); -- com_err(argv[0], 0, "Usage: %s dbpathname realmname", argv[0]); -+ com_err(progname, 0, "Usage: %s dbpathname realmname", argv[0]); - exit_status++; - return; - } - if (dbactive) { - if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { -- com_err(argv[0], retval, "while closing previous database"); -+ com_err(progname, retval, "while closing previous database"); - exit_status++; - return; - } -@@ -353,7 +355,7 @@ void set_dbname(argc, argv) - dbactive = FALSE; - } - -- (void) set_dbname_help(argv[0], argv[1]); -+ (void) set_dbname_help(progname, argv[1]); - return; - } - #endif -@@ -425,6 +427,7 @@ static int open_db_and_mkey() - retval = krb5_principal2salt(util_context, master_princ, &scratch); - if (retval) { - com_err(progname, retval, "while calculated master key salt"); -+ exit_status++; - return(1); - } - -@@ -442,6 +445,7 @@ static int open_db_and_mkey() - if (retval) { - com_err(progname, retval, - "while transforming master key from password"); -+ exit_status++; - return(1); - } - free(scratch.data); -@@ -519,7 +523,7 @@ add_random_key(argc, argv) - krb5_int32 num_keysalts = 0; - - int free_keysalts; -- char *me = argv[0]; -+ char *me = progname; - char *ks_str = NULL; - char *pr_str; - -Index: src/kadmin/dbutil/kdb5_stash.c -=================================================================== ---- src/kadmin/dbutil/kdb5_stash.c.orig -+++ src/kadmin/dbutil/kdb5_stash.c -@@ -82,19 +82,16 @@ kdb5_stash(argc, argv) - char *keyfile = 0; - krb5_context context; - -- if (strrchr(argv[0], '/')) -- argv[0] = strrchr(argv[0], '/')+1; -- - retval = kadm5_init_krb5_context(&context); - if( retval ) - { -- com_err(argv[0], retval, "while initializing krb5_context"); -+ com_err(progname, retval, "while initializing krb5_context"); - exit(1); - } - - if ((retval = krb5_set_default_realm(context, - util_context->default_realm))) { -- com_err(argv[0], retval, "while setting default realm name"); -+ com_err(progname, retval, "while setting default realm name"); - exit(1); - } - -@@ -119,10 +116,10 @@ kdb5_stash(argc, argv) - if (!krb5_c_valid_enctype(master_keyblock.enctype)) { - char tmp[32]; - if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp))) -- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, -+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, - "while setting up enctype %d", master_keyblock.enctype); - else -- com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp); -+ com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, tmp); - exit_status++; return; - } - -@@ -130,14 +127,14 @@ kdb5_stash(argc, argv) - retval = krb5_db_setup_mkey_name(context, mkey_name, realm, - &mkey_fullname, &master_princ); - if (retval) { -- com_err(argv[0], retval, "while setting up master key name"); -+ com_err(progname, retval, "while setting up master key name"); - exit_status++; return; - } - - retval = krb5_db_open(context, db5util_db_args, - KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_OTHER); - if (retval) { -- com_err(argv[0], retval, "while initializing the database '%s'", -+ com_err(progname, retval, "while initializing the database '%s'", - dbname); - exit_status++; return; - } -@@ -148,7 +145,7 @@ kdb5_stash(argc, argv) - TRUE, FALSE, (char *) NULL, - 0, &master_keyblock); - if (retval) { -- com_err(argv[0], retval, "while reading master key"); -+ com_err(progname, retval, "while reading master key"); - (void) krb5_db_fini(context); - exit_status++; return; - } -@@ -156,7 +153,7 @@ kdb5_stash(argc, argv) - retval = krb5_db_verify_master_key(context, master_princ, - &master_keyblock); - if (retval) { -- com_err(argv[0], retval, "while verifying master key"); -+ com_err(progname, retval, "while verifying master key"); - (void) krb5_db_fini(context); - exit_status++; return; - } -@@ -164,7 +161,7 @@ kdb5_stash(argc, argv) - retval = krb5_db_store_master_key(context, keyfile, master_princ, - &master_keyblock, NULL); - if (retval) { -- com_err(argv[0], errno, "while storing key"); -+ com_err(progname, errno, "while storing key"); - memset((char *)master_keyblock.contents, 0, master_keyblock.length); - (void) krb5_db_fini(context); - exit_status++; return; -@@ -173,7 +170,7 @@ kdb5_stash(argc, argv) - - retval = krb5_db_fini(context); - if (retval) { -- com_err(argv[0], retval, "closing database '%s'", dbname); -+ com_err(progname, retval, "closing database '%s'", dbname); - exit_status++; return; - } - -Index: src/kadmin/cli/kadmin.M -=================================================================== ---- src/kadmin/cli/kadmin.M.orig -+++ src/kadmin/cli/kadmin.M -@@ -206,12 +206,12 @@ Specifying "ago" in a duration may resul - creates the principal - .IR newprinc , - prompting twice for a password. If no policy is specified with the ---policy option, and the policy named "default" exists, then that -+\-policy option, and the policy named "default" exists, then that - policy is assigned to the principal; note that the assignment of the - policy "default" only occurs automatically when a principal is first - created, so the policy "default" must already exist for the assignment - to occur. This assignment of "default" can be suppressed with the ---clearpolicy option. This command requires the -+\-clearpolicy option. This command requires the - .I add - privilege. This command has the aliases - .B addprinc -@@ -411,7 +411,7 @@ Re-enter password for principal tlyu/adm - Principal "tlyu/admin@BLEEP.COM" created. - kadmin: - --kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user -+kadmin: addprinc \-x dn=cn=mwm_user,o=org mwm_user - WARNING: no policy specified for "mwm_user@BLEEP.COM"; - defaulting to no policy. - Enter password for principal mwm_user@BLEEP.COM: -@@ -639,7 +639,7 @@ sets the number of past keys kept for a - .nf - .TP - EXAMPLES: --kadmin: add_policy -maxlife "2 days" -minlength 5 guests -+kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests - kadmin: - .TP - ERRORS: -Index: src/lib/crypto/enc_provider/aes.c -=================================================================== ---- src/lib/crypto/enc_provider/aes.c.orig -+++ src/lib/crypto/enc_provider/aes.c -@@ -1,3 +1,29 @@ -+/* -+ * lib/crypto/enc_provider/aes.h -+ * -+ * Copyright (C) 2003, 2007 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ */ -+ - #include "k5-int.h" - #include "enc_provider.h" - #include "aes.h" -Index: src/lib/rpc/auth_gssapi.c -=================================================================== ---- src/lib/rpc/auth_gssapi.c.orig -+++ src/lib/rpc/auth_gssapi.c -@@ -164,6 +164,11 @@ AUTH *auth_gssapi_create( - auth = (AUTH *) malloc(sizeof(*auth)); - pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata)); - if (auth == NULL || pdata == NULL) { -+ /* They needn't both have failed; clean up. */ -+ free(auth); -+ free(pdata); -+ auth = NULL; -+ pdata = NULL; - rpc_createerr.cf_stat = RPC_SYSTEMERROR; - rpc_createerr.cf_error.re_errno = ENOMEM; - goto cleanup; -@@ -436,12 +441,14 @@ next_token: - - cleanup: - PRINTF(("gssapi_create: bailing\n\n")); -- -- if (AUTH_PRIVATE(auth)) -- auth_gssapi_destroy(auth); -- else if (auth) -- free(auth); -- auth = NULL; -+ -+ if (auth) { -+ if (AUTH_PRIVATE(auth)) -+ auth_gssapi_destroy(auth); -+ else -+ free(auth); -+ auth = NULL; -+ } - - /* don't assume the caller will want to change clnt->cl_auth */ - clnt->cl_auth = save_auth; -Index: src/lib/gssapi/krb5/lucid_context.c -=================================================================== ---- src/lib/gssapi/krb5/lucid_context.c.orig -+++ src/lib/gssapi/krb5/lucid_context.c -@@ -231,7 +231,7 @@ make_external_lucid_ctx_v1( - &lctx->cfx_kd.ctx_key))) - goto error_out; - if (gctx->have_acceptor_subkey) { -- if ((retval = copy_keyblock_to_lucid_key(gctx->enc, -+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, - &lctx->cfx_kd.acceptor_subkey))) - goto error_out; - lctx->cfx_kd.have_acceptor_subkey = 1; -Index: src/lib/kadm5/str_conv.c -=================================================================== ---- src/lib/kadm5/str_conv.c.orig -+++ src/lib/kadm5/str_conv.c -@@ -310,7 +310,7 @@ krb5_string_to_keysalts(string, tuplesep - septmp = ksseplist; - for (sp = strchr(kp, (int) *septmp); - *(++septmp) && !sp; -- ep = strchr(kp, (int) *septmp)); -+ sp = strchr(kp, (int) *septmp)); - - if (sp) { - /* Separate enctype from salttype */ -Index: src/lib/krb5/keytab/kt_file.c -=================================================================== ---- src/lib/krb5/keytab/kt_file.c.orig -+++ src/lib/krb5/keytab/kt_file.c -@@ -53,10 +53,30 @@ typedef struct _krb5_ktfile_data { - FILE *openf; /* open file, if any. */ - char iobuf[BUFSIZ]; /* so we can zap it later */ - int version; /* Version number of keytab */ -+ unsigned int iter_count; /* Number of active iterators */ -+ long start_offset; /* Starting offset after version */ - k5_mutex_t lock; /* Protect openf, version */ - } krb5_ktfile_data; - - /* -+ * Some limitations: -+ * -+ * If the file OPENF is left open between calls, we have an iterator -+ * active, and OPENF is opened in read-only mode. So, no changes -+ * can be made via that handle. -+ * -+ * An advisory file lock is used while the file is open. Thus, -+ * multiple handles on the same underlying file cannot be used without -+ * disrupting the locking in effect. -+ * -+ * The start_offset field is only valid if the file is open. It will -+ * almost certainly always be the same constant. It's used so that -+ * if an iterator is active, and we start another one, we don't have -+ * to seek back to the start and re-read the version number to set -+ * the position for the iterator. -+ */ -+ -+/* - * Macros - */ - #define KTPRIVATE(id) ((krb5_ktfile_data *)(id)->data) -@@ -64,6 +84,8 @@ typedef struct _krb5_ktfile_data { - #define KTFILEP(id) (((krb5_ktfile_data *)(id)->data)->openf) - #define KTFILEBUFP(id) (((krb5_ktfile_data *)(id)->data)->iobuf) - #define KTVERSION(id) (((krb5_ktfile_data *)(id)->data)->version) -+#define KTITERS(id) (((krb5_ktfile_data *)(id)->data)->iter_count) -+#define KTSTARTOFF(id) (((krb5_ktfile_data *)(id)->data)->start_offset) - #define KTLOCK(id) k5_mutex_lock(&((krb5_ktfile_data *)(id)->data)->lock) - #define KTUNLOCK(id) k5_mutex_unlock(&((krb5_ktfile_data *)(id)->data)->lock) - #define KTCHECKLOCK(id) k5_mutex_assert_locked(&((krb5_ktfile_data *)(id)->data)->lock) -@@ -208,6 +230,7 @@ krb5_ktfile_resolve(krb5_context context - (void) strcpy(data->name, name); - data->openf = 0; - data->version = 0; -+ data->iter_count = 0; - - (*id)->data = (krb5_pointer)data; - (*id)->magic = KV5M_KEYTAB; -@@ -255,15 +278,27 @@ krb5_ktfile_get_entry(krb5_context conte - int found_wrong_kvno = 0; - krb5_boolean similar; - int kvno_offset = 0; -+ int was_open; - - kerror = KTLOCK(id); - if (kerror) - return kerror; - -- /* Open the keyfile for reading */ -- if ((kerror = krb5_ktfileint_openr(context, id))) { -- KTUNLOCK(id); -- return(kerror); -+ if (KTFILEP(id) != NULL) { -+ was_open = 1; -+ -+ if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { -+ KTUNLOCK(id); -+ return errno; -+ } -+ } else { -+ was_open = 0; -+ -+ /* Open the keyfile for reading */ -+ if ((kerror = krb5_ktfileint_openr(context, id))) { -+ KTUNLOCK(id); -+ return(kerror); -+ } - } - - /* -@@ -370,12 +405,13 @@ krb5_ktfile_get_entry(krb5_context conte - kerror = KRB5_KT_NOTFOUND; - } - if (kerror) { -- (void) krb5_ktfileint_close(context, id); -+ if (was_open == 0) -+ (void) krb5_ktfileint_close(context, id); - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; - } -- if ((kerror = krb5_ktfileint_close(context, id)) != 0) { -+ if (was_open == 0 && (kerror = krb5_ktfileint_close(context, id)) != 0) { - KTUNLOCK(id); - krb5_kt_free_entry(context, &cur_entry); - return kerror; -@@ -430,18 +466,30 @@ krb5_ktfile_start_seq_get(krb5_context c - if (retval) - return retval; - -- if ((retval = krb5_ktfileint_openr(context, id))) { -- KTUNLOCK(id); -- return retval; -+ if (KTITERS(id) == 0) { -+ if ((retval = krb5_ktfileint_openr(context, id))) { -+ KTUNLOCK(id); -+ return retval; -+ } - } - - if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { -- krb5_ktfileint_close(context, id); -+ if (KTITERS(id) == 0) -+ krb5_ktfileint_close(context, id); - KTUNLOCK(id); - return ENOMEM; - } -- *fileoff = ftell(KTFILEP(id)); -+ *fileoff = KTSTARTOFF(id); - *cursorp = (krb5_kt_cursor)fileoff; -+ KTITERS(id)++; -+ if (KTITERS(id) == 0) { -+ /* Wrapped?! */ -+ KTITERS(id)--; -+ KTUNLOCK(id); -+ krb5_set_error_message(context, KRB5_KT_IOERR, -+ "Too many keytab iterators active"); -+ return KRB5_KT_IOERR; /* XXX */ -+ } - KTUNLOCK(id); - - return 0; -@@ -490,7 +538,11 @@ krb5_ktfile_end_get(krb5_context context - - krb5_xfree(*cursor); - KTLOCK(id); -- kerror = krb5_ktfileint_close(context, id); -+ KTITERS(id)--; -+ if (KTFILEP(id) != NULL && KTITERS(id) == 0) -+ kerror = krb5_ktfileint_close(context, id); -+ else -+ kerror = 0; - KTUNLOCK(id); - return kerror; - } -@@ -811,6 +863,7 @@ krb5_ktfile_wresolve(krb5_context contex - (void) strcpy(data->name, name); - data->openf = 0; - data->version = 0; -+ data->iter_count = 0; - - (*id)->data = (krb5_pointer)data; - (*id)->magic = KV5M_KEYTAB; -@@ -830,6 +883,13 @@ krb5_ktfile_add(krb5_context context, kr - retval = KTLOCK(id); - if (retval) - return retval; -+ if (KTFILEP(id)) { -+ /* Iterator(s) active -- no changes. */ -+ KTUNLOCK(id); -+ krb5_set_error_message(context, KRB5_KT_IOERR, -+ "Cannot change keytab with keytab iterators active"); -+ return KRB5_KT_IOERR; /* XXX */ -+ } - if ((retval = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); - return retval; -@@ -858,6 +918,13 @@ krb5_ktfile_remove(krb5_context context, - kerror = KTLOCK(id); - if (kerror) - return kerror; -+ if (KTFILEP(id)) { -+ /* Iterator(s) active -- no changes. */ -+ KTUNLOCK(id); -+ krb5_set_error_message(context, KRB5_KT_IOERR, -+ "Cannot change keytab with keytab iterators active"); -+ return KRB5_KT_IOERR; /* XXX */ -+ } - - if ((kerror = krb5_ktfileint_openw(context, id))) { - KTUNLOCK(id); -@@ -1114,6 +1181,7 @@ krb5_ktfileint_open(krb5_context context - return KRB5_KEYTAB_BADVNO; - } - } -+ KTSTARTOFF(id) = ftell(KTFILEP(id)); - return 0; - } - -@@ -1424,7 +1492,7 @@ krb5_ktfileint_write_entry(krb5_context - krb5_timestamp timestamp; - krb5_int32 princ_type; - krb5_int32 size_needed; -- krb5_int32 commit_point; -+ krb5_int32 commit_point = -1; - int i; - - KTCHECKLOCK(id); -Index: src/lib/krb5/os/toffset.c -=================================================================== ---- src/lib/krb5/os/toffset.c.orig -+++ src/lib/krb5/os/toffset.c -@@ -34,6 +34,9 @@ - * routines will return the correct time as corrected by difference - * between the system time and the "real time" as passed to this - * routine -+ * -+ * If the real time microseconds are given as -1 the caller doesn't -+ * know the microseconds value so the usec offset is always zero. - */ - krb5_error_code KRB5_CALLCONV - krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) -@@ -45,8 +48,10 @@ krb5_set_real_time(krb5_context context, - retval = krb5_crypto_us_timeofday(&sec, &usec); - if (retval) - return retval; -+ - os_ctx->time_offset = seconds - sec; -- os_ctx->usec_offset = microseconds - usec; -+ os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; -+ - os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | - KRB5_OS_TOFFSET_VALID); - return 0; -Index: src/lib/krb5/os/locate_kdc.c -=================================================================== ---- src/lib/krb5/os/locate_kdc.c.orig -+++ src/lib/krb5/os/locate_kdc.c -@@ -611,6 +611,7 @@ module_locate_server (krb5_context ctx, - krb5_error_code code; - struct krb5plugin_service_locate_ftable *vtbl = NULL; - void **ptrs; -+ char *realmz; /* NUL-terminated realm */ - int i; - struct module_callback_data cbdata = { 0, }; - -@@ -632,6 +633,17 @@ module_locate_server (krb5_context ctx, - return KRB5_PLUGIN_NO_HANDLE; - } - -+ if (realm->length >= UINT_MAX) { -+ krb5int_free_plugin_dir_data(ptrs); -+ return ENOMEM; -+ } -+ realmz = malloc(realm->length + 1); -+ if (realmz == NULL) { -+ krb5int_free_plugin_dir_data(ptrs); -+ return ENOMEM; -+ } -+ memcpy(realmz, realm->data, realm->length); -+ realmz[realm->length] = '\0'; - for (i = 0; ptrs[i]; i++) { - void *blob; - -@@ -644,7 +656,7 @@ module_locate_server (krb5_context ctx, - if (code) - continue; - -- code = vtbl->lookup(blob, svc, realm->data, socktype, family, -+ code = vtbl->lookup(blob, svc, realmz, socktype, family, - module_callback, &cbdata); - vtbl->fini(blob); - if (code == KRB5_PLUGIN_NO_HANDLE) { -@@ -657,6 +669,7 @@ module_locate_server (krb5_context ctx, - /* Module encountered an actual error. */ - Tprintf("plugin lookup routine returned error %d: %s\n", - code, error_message(code)); -+ free(realmz); - krb5int_free_plugin_dir_data (ptrs); - return code; - } -@@ -664,6 +677,7 @@ module_locate_server (krb5_context ctx, - } - if (ptrs[i] == NULL) { - Tprintf("ran off end of plugin list\n"); -+ free(realmz); - krb5int_free_plugin_dir_data (ptrs); - return KRB5_PLUGIN_NO_HANDLE; - } -@@ -672,6 +686,7 @@ module_locate_server (krb5_context ctx, - /* Got something back, yippee. */ - Tprintf("now have %d addrs in list %p\n", addrlist->naddrs, addrlist); - print_addrlist(addrlist); -+ free(realmz); - krb5int_free_plugin_dir_data (ptrs); - return 0; - } -Index: src/lib/krb5/rcache/rc_io.c -=================================================================== ---- src/lib/krb5/rcache/rc_io.c.orig -+++ src/lib/krb5/rcache/rc_io.c -@@ -83,6 +83,7 @@ krb5_rc_io_creat(krb5_context context, k - (void) strcpy(d->fn, dir); - (void) strcat(d->fn, PATH_SEPARATOR); - (void) strcat(d->fn, *fn); -+ unlink(d->fn); - d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | - O_BINARY, 0600); - } -@@ -425,7 +426,7 @@ krb5_rc_io_read(krb5_context context, kr - strerror(errno)); - return KRB5_RC_IO_UNKNOWN; - } -- if (count == 0) -+ if (count != num) - return KRB5_RC_IO_EOF; - return 0; - } -Index: src/lib/krb5/ccache/cc_memory.c -=================================================================== ---- src/lib/krb5/ccache/cc_memory.c.orig -+++ src/lib/krb5/ccache/cc_memory.c -@@ -135,10 +135,18 @@ krb5_error_code KRB5_CALLCONV - krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) - { - krb5_error_code ret; -+ krb5_mcc_data *d; -+ -+ d = (krb5_mcc_data *)id->data; -+ ret = k5_mutex_lock(&d->lock); -+ if (ret) -+ return ret; - - krb5_mcc_free(context, id); - ret = krb5_copy_principal(context, princ, - &((krb5_mcc_data *)id->data)->prin); -+ -+ k5_mutex_unlock(&d->lock); - if (ret == KRB5_OK) - krb5_change_cache(); - return ret; -@@ -205,8 +213,13 @@ krb5_mcc_destroy(krb5_context context, k - } - k5_mutex_unlock(&krb5int_mcc_mutex); - -+ err = k5_mutex_lock(&d->lock); -+ if (err) -+ return err; -+ - krb5_mcc_free(context, id); - krb5_xfree(d->name); -+ k5_mutex_unlock(&d->lock); - k5_mutex_destroy(&d->lock); - krb5_xfree(d); - krb5_xfree(id); -@@ -244,12 +257,6 @@ krb5_mcc_resolve (krb5_context context, - krb5_error_code err; - krb5_mcc_data *d; - -- lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); -- if (lid == NULL) -- return KRB5_CC_NOMEM; -- -- lid->ops = &krb5_mcc_ops; -- - err = k5_mutex_lock(&krb5int_mcc_mutex); - if (err) - return err; -@@ -262,11 +269,16 @@ krb5_mcc_resolve (krb5_context context, - err = new_mcc_data(residual, &d); - if (err) { - k5_mutex_unlock(&krb5int_mcc_mutex); -- krb5_xfree(lid); - return err; - } - } - k5_mutex_unlock(&krb5int_mcc_mutex); -+ -+ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); -+ if (lid == NULL) -+ return KRB5_CC_NOMEM; -+ -+ lid->ops = &krb5_mcc_ops; - lid->data = d; - *id = lid; - return KRB5_OK; -Index: src/lib/krb5/ccache/ccdefault.c -=================================================================== ---- src/lib/krb5/ccache/ccdefault.c.orig -+++ src/lib/krb5/ccache/ccdefault.c -@@ -1,7 +1,7 @@ - /* - * lib/krb5/ccache/ccdefault.c - * -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright 1990, 2007, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -45,22 +45,30 @@ static HANDLE hLeashDLL = INVALID_HANDLE - krb5_error_code KRB5_CALLCONV - krb5_cc_default(krb5_context context, krb5_ccache *ccache) - { -- krb5_os_context os_ctx; -+ const char *default_name; - - if (!context || context->magic != KV5M_CONTEXT) - return KV5M_CONTEXT; -+ -+ default_name = krb5_cc_default_name(context); -+ if (default_name == NULL) { -+ /* Could be a bogus context, or an allocation failure, or -+ other things. Unfortunately the API doesn't allow us -+ to find out any specifics. */ -+ return KRB5_FCC_INTERNAL; -+ } - -- os_ctx = context->os_context; -- -- return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache); -+ return krb5_cc_resolve(context, default_name, ccache); - } - --/* This is the internal function which opens the default ccache. On platforms supporting -- the login library's automatic popup dialog to get tickets, this function also updated the -- library's internal view of the current principal associated with this cache. -- -- All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets -- should call this function, not krb5_cc_default() */ -+/* This is the internal function which opens the default ccache. On -+ platforms supporting the login library's automatic popup dialog to -+ get tickets, this function also updated the library's internal view -+ of the current principal associated with this cache. -+ -+ All krb5 and GSS functions which need to open a cache to get a tgt -+ to obtain service tickets should call this function, not -+ krb5_cc_default(). */ - - krb5_error_code KRB5_CALLCONV - krb5int_cc_default(krb5_context context, krb5_ccache *ccache) -@@ -82,7 +90,8 @@ krb5int_cc_default(krb5_context context, - /* This function tries to get tickets and put them in the specified - cache, however, if the cache does not exist, it may choose to put - them elsewhere (ie: the system default) so we set that here */ -- if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) { -+ char * ccdefname = krb5_cc_default_name (context); -+ if (!ccdefname || strcmp (ccdefname, outCacheName) != 0) { - krb5_cc_set_default_name (context, outCacheName); - } - KLDisposeString (outCacheName); -@@ -102,7 +111,8 @@ krb5int_cc_default(krb5_context context, - char ccname[256]=""; - pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, sizeof(ccname)); - if (ccname[0]) { -- if (strcmp (krb5_cc_default_name (context),ccname) != 0) { -+ char * ccdefname = krb5_cc_default_name (context); -+ if (!ccdefname || strcmp (ccdefname, ccname) != 0) { - krb5_cc_set_default_name (context, ccname); - } - } -Index: src/lib/krb5/krb/get_in_tkt.c -=================================================================== ---- src/lib/krb5/krb/get_in_tkt.c.orig -+++ src/lib/krb5/krb/get_in_tkt.c -@@ -290,7 +290,7 @@ verify_as_reply(krb5_context context, - - if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { - retval = krb5_set_real_time(context, -- as_reply->enc_part2->times.authtime, 0); -+ as_reply->enc_part2->times.authtime, -1); - if (retval) - return retval; - } else { -Index: src/lib/krb5/krb/rd_safe.c -=================================================================== ---- src/lib/krb5/krb/rd_safe.c.orig -+++ src/lib/krb5/krb/rd_safe.c -@@ -1,7 +1,7 @@ - /* - * lib/krb5/krb/rd_safe.c - * -- * Copyright 1990,1991 by the Massachusetts Institute of Technology. -+ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -114,11 +114,11 @@ krb5_rd_safe_basic(krb5_context context, - - message->checksum = &our_cksum; - -- if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch))) -+ retval = encode_krb5_safe_with_body(message, &safe_body, &scratch); -+ message->checksum = his_cksum; -+ if (retval) - goto cleanup; - -- message->checksum = his_cksum; -- - retval = krb5_c_verify_checksum(context, keyblock, - KRB5_KEYUSAGE_KRB_SAFE_CKSUM, - scratch, his_cksum, &valid); -Index: src/lib/krb5/krb/gc_via_tkt.c -=================================================================== ---- src/lib/krb5/krb/gc_via_tkt.c.orig -+++ src/lib/krb5/krb/gc_via_tkt.c -@@ -1,7 +1,7 @@ - /* - * lib/krb5/krb/gc_via_tgt.c - * -- * Copyright 1990,1991 by the Massachusetts Institute of Technology. -+ * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -100,6 +100,7 @@ cleanup_keyblock: - - cleanup: - free (*ppcreds); -+ *ppcreds = NULL; - return retval; - } - -@@ -249,7 +250,8 @@ krb5_get_cred_via_tkt (krb5_context cont - switch (err_reply->error) { - case KRB_ERR_GENERIC: - krb5_set_error_message(context, retval, -- "KDC returned error string: %s", -+ "KDC returned error string: %.*s", -+ err_reply->text.length, - err_reply->text.data); - break; - default: -Index: src/slave/kpropd.M -=================================================================== ---- src/slave/kpropd.M.orig -+++ src/slave/kpropd.M -@@ -122,7 +122,7 @@ mode. - .TP - .B \-a - allows the user to specify the path to the --.KR kpropd.acl -+kpropd.acl - file; by default the path used is KPROPD_ACL_FILE - (normally @manlocalstatedir@/krb5kdc/kpropd.acl). - .SH FILES -Index: src/util/depfix.pl -=================================================================== ---- src/util/depfix.pl.orig -+++ src/util/depfix.pl -@@ -214,6 +214,7 @@ my $buf = ''; - while () { - # Strip newline. - chop; -+ next if /^\s*#/; - # Do directory-specific path substitutions on each filename read. - $_ = &do_subs($_); - if (m/\\$/) { -Index: src/util/profile/prof_init.c -=================================================================== ---- src/util/profile/prof_init.c.orig -+++ src/util/profile/prof_init.c -@@ -34,8 +34,11 @@ profile_init(const_profile_filespec_t *f - memset(profile, 0, sizeof(struct _profile_t)); - profile->magic = PROF_MAGIC_PROFILE; - -- /* if the filenames list is not specified return an empty profile */ -- if ( files ) { -+ /* -+ * If the filenames list is not specified or empty, return an empty -+ * profile. -+ */ -+ if ( files && !PROFILE_LAST_FILESPEC(*files) ) { - for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) { - retval = profile_open_file(*fs, &new_file); - /* if this file is missing, skip to the next */ -Index: src/kdc/network.c -=================================================================== ---- src/kdc/network.c (Revision 20580) -+++ src/kdc/network.c (Revision 20587) -@@ -277,6 +277,12 @@ - struct connection *newconn; - void *tmp; - -+ if (sock > FD_SETSIZE) { -+ data->retval = EMFILE; /* XXX */ -+ com_err(data->prog, 0, -+ "file descriptor number %d too high", sock); -+ return 0; -+ } - newconn = malloc(sizeof(*newconn)); - if (newconn == 0) { - data->retval = errno; -@@ -360,6 +366,12 @@ - paddr(addr)); - return -1; - } -+ if (sock > FD_SETSIZE) { -+ close(sock); -+ com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", -+ sock, paddr(addr)); -+ return -1; -+ } - if (setreuseaddr(sock, 1) < 0) - com_err(data->prog, errno, - "Cannot enable SO_REUSEADDR on fd %d", sock); -@@ -791,6 +803,10 @@ - s = accept(conn->fd, addr, &addrlen); - if (s < 0) - return; -+ if (s > FD_SETSIZE) { -+ close(s); -+ return; -+ } - setnbio(s), setnolinger(s); - - sockdata.prog = prog; -Index: src/lib/gssapi/krb5/accept_sec_context.c -=================================================================== ---- src/lib/gssapi/krb5/accept_sec_context.c (Revision 20580) -+++ src/lib/gssapi/krb5/accept_sec_context.c (Revision 20587) -@@ -1,5 +1,5 @@ - /* -- * Copyright 2000, 2004 by the Massachusetts Institute of Technology. -+ * Copyright 2000, 2004, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may -@@ -249,6 +249,7 @@ - krb5_data option; - const gss_OID_desc *mech_used = NULL; - OM_uint32 major_status = GSS_S_FAILURE; -+ OM_uint32 tmp_minor_status; - krb5_error krb_error_data; - krb5_data scratch; - gss_cred_id_t cred_handle = NULL; -@@ -903,13 +904,14 @@ - - if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) { - ctx->k5_context = context; -- return(major_status); -+ context = NULL; -+ goto done; - } - - /* from here on is the real "fail" code */ - - if (ctx) -- (void) krb5_gss_delete_sec_context(minor_status, -+ (void) krb5_gss_delete_sec_context(&tmp_minor_status, - (gss_ctx_id_t *) &ctx, NULL); - if (deleg_cred) { /* free memory associated with the deleg credential */ - if (deleg_cred->ccache) -@@ -936,10 +938,9 @@ - if (decode_req_message) { - krb5_ap_req * request; - -- if (decode_krb5_ap_req(&ap_req, &request)) { -- krb5_free_context(context); -- return (major_status); -- } -+ if (decode_krb5_ap_req(&ap_req, &request)) -+ goto done; -+ - if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED) - gss_flags |= GSS_C_MUTUAL_FLAG; - krb5_free_ap_req(context, request); -@@ -967,20 +968,16 @@ - krb_error_data.server = cred->princ; - - code = krb5_mk_error(context, &krb_error_data, &scratch); -- if (code) { -- krb5_free_context(context); -- return (major_status); -- } -+ if (code) -+ goto done; - - tmsglen = scratch.length; - toktype = KG_TOK_CTX_ERROR; - - token.length = g_token_size(mech_used, tmsglen); - token.value = (unsigned char *) xmalloc(token.length); -- if (!token.value) { -- krb5_free_context(context); -- return (major_status); -- } -+ if (!token.value) -+ goto done; - - ptr = token.value; - g_make_token_header(mech_used, tmsglen, &ptr, toktype); -@@ -990,9 +987,13 @@ - - *output_token = token; - } -+ -+ done: - if (!verifier_cred_handle && cred_handle) { -- krb5_gss_release_cred(minor_status, &cred_handle); -+ krb5_gss_release_cred(&tmp_minor_status, &cred_handle); - } -- krb5_free_context(context); -+ if (context) { -+ krb5_free_context(context); -+ } - return (major_status); - } -Index: src/lib/comerr32.def -=================================================================== ---- src/lib/comerr32.def (Revision 20580) -+++ src/lib/comerr32.def (Revision 20587) -@@ -3,10 +3,10 @@ - HEAPSIZE 8192 - - EXPORTS -- com_err -- com_err_va -- error_message -- add_error_table -- remove_error_table -- set_com_err_hook -- reset_com_err_hook -+ com_err @2 -+ com_err_va @3 -+ error_message @4 -+ add_error_table @1 -+ remove_error_table @5 -+ set_com_err_hook @6 -+ reset_com_err_hook @7 -Index: src/lib/kadm5/srv/svr_principal.c -=================================================================== ---- src/lib/kadm5/srv/svr_principal.c (Revision 20580) -+++ src/lib/kadm5/srv/svr_principal.c (Revision 20587) -@@ -2099,7 +2099,8 @@ - * inexact match on the enctype; this behavior will go away when - * the key storage architecture gets redesigned for 1.3. - */ -- keyblock->enctype = ktype; -+ if (ktype != -1) -+ keyblock->enctype = ktype; - - if (kvnop) - *kvnop = key_data->key_data_kvno; -Index: src/lib/krb5/os/sendto_kdc.c -=================================================================== ---- src/lib/krb5/os/sendto_kdc.c (Revision 20580) -+++ src/lib/krb5/os/sendto_kdc.c (Revision 20587) -@@ -654,6 +654,12 @@ - dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); - return -1; /* try other hosts */ - } -+ if (fd >= FD_SETSIZE) { -+ close(fd); -+ state->err = EMFILE; -+ dprint("socket: fd %d too high\n", fd); -+ return -1; -+ } - /* Make it non-blocking. */ - if (ai->ai_socktype == SOCK_STREAM) { - static const int one = 1; - - diff --git a/krb5-1.6.3-rpmlintrc b/krb5-1.6.3-rpmlintrc deleted file mode 100644 index 6784c51..0000000 --- a/krb5-1.6.3-rpmlintrc +++ /dev/null @@ -1,2 +0,0 @@ -addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") -addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") diff --git a/krb5-1.6.3.tar.bz2 b/krb5-1.6.3.tar.bz2 deleted file mode 100644 index 79fcab7..0000000 --- a/krb5-1.6.3.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:c272bea49a48059f9a31bca38e9d838c9b52d4257ba764aaed24783c24b36173 -size 10091032 diff --git a/trunk-manpaths.dif b/krb5-1.7-manpaths.dif similarity index 83% rename from trunk-manpaths.dif rename to krb5-1.7-manpaths.dif index fb9e7a9..94c7f47 100644 --- a/trunk-manpaths.dif +++ b/krb5-1.7-manpaths.dif @@ -1,8 +1,8 @@ -Index: krb5-1.6.3/src/appl/bsd/klogind.M +Index: trunk/src/appl/bsd/klogind.M =================================================================== ---- krb5-1.6.3.orig/src/appl/bsd/klogind.M -+++ krb5-1.6.3/src/appl/bsd/klogind.M +--- trunk.orig/src/appl/bsd/klogind.M ++++ trunk/src/appl/bsd/klogind.M @@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf configuration line for \fIklogind\fP might be: @@ -12,10 +12,10 @@ Index: krb5-1.6.3/src/appl/bsd/klogind.M When a service request is received, the following protocol is initiated: -Index: krb5-1.6.3/src/appl/bsd/kshd.M +Index: trunk/src/appl/bsd/kshd.M =================================================================== ---- krb5-1.6.3.orig/src/appl/bsd/kshd.M -+++ krb5-1.6.3/src/appl/bsd/kshd.M +--- trunk.orig/src/appl/bsd/kshd.M ++++ trunk/src/appl/bsd/kshd.M @@ -8,7 +8,7 @@ .SH NAME kshd \- kerberized remote shell server @@ -34,10 +34,10 @@ Index: krb5-1.6.3/src/appl/bsd/kshd.M When a service request is received, the following protocol is initiated: -Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M +Index: trunk/src/appl/sample/sserver/sserver.M =================================================================== ---- krb5-1.6.3.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.6.3/src/appl/sample/sserver/sserver.M +--- trunk.orig/src/appl/sample/sserver/sserver.M ++++ trunk/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -47,10 +47,10 @@ Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8 +Index: trunk/src/appl/telnet/telnetd/telnetd.8 =================================================================== ---- krb5-1.6.3.orig/src/appl/telnet/telnetd/telnetd.8 -+++ krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8 +--- trunk.orig/src/appl/telnet/telnetd/telnetd.8 ++++ trunk/src/appl/telnet/telnetd/telnetd.8 @@ -37,7 +37,7 @@ telnetd \- .SM DARPA TELNET protocol server @@ -60,10 +60,10 @@ Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8 [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] -Index: krb5-1.6.3/src/config-files/kdc.conf.M +Index: trunk/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.6.3.orig/src/config-files/kdc.conf.M -+++ krb5-1.6.3/src/config-files/kdc.conf.M +--- trunk.orig/src/config-files/kdc.conf.M ++++ trunk/src/config-files/kdc.conf.M @@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -81,7 +81,7 @@ Index: krb5-1.6.3/src/config-files/kdc.conf.M .IP database_name This -@@ -239,7 +239,7 @@ tickets should be checked against the tr +@@ -257,7 +257,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -90,12 +90,12 @@ Index: krb5-1.6.3/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.6.3/src/configure.in +Index: trunk/src/configure.in =================================================================== ---- krb5-1.6.3.orig/src/configure.in -+++ krb5-1.6.3/src/configure.in -@@ -944,6 +944,73 @@ if false; then - fi +--- trunk.orig/src/configure.in ++++ trunk/src/configure.in +@@ -1041,6 +1041,69 @@ dnl + AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + @@ -124,7 +124,6 @@ Index: krb5-1.6.3/src/configure.in + appl/bsd/rcp.M + appl/bsd/rlogin.M + appl/bsd/rsh.M -+ appl/bsd/v4rcp.M + appl/gssftp/ftpd/ftpd.M + appl/gssftp/ftp/ftp.M + appl/sample/sclient/sclient.M @@ -150,10 +149,7 @@ Index: krb5-1.6.3/src/configure.in + kadmin/ktutil/ktutil.M + kadmin/passwd/kpasswd.M + kadmin/server/kadmind.M -+ kdc/fakeka.M + kdc/krb5kdc.M -+ krb524/k524init.M -+ krb524/krb524d.M + krb5-config.M + plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M + slave/kpropd.M @@ -168,11 +164,11 @@ Index: krb5-1.6.3/src/configure.in V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.6.3/src/kadmin/cli/kadmin.M +Index: trunk/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.6.3.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.6.3/src/kadmin/cli/kadmin.M -@@ -808,9 +808,9 @@ option is specified, less verbose status +--- trunk.orig/src/kadmin/cli/kadmin.M ++++ trunk/src/kadmin/cli/kadmin.M +@@ -840,9 +840,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -184,7 +180,7 @@ Index: krb5-1.6.3/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -852,7 +852,7 @@ passwords. +@@ -884,7 +884,7 @@ passwords. .SH HISTORY The .B kadmin @@ -193,10 +189,10 @@ Index: krb5-1.6.3/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.6.3/src/slave/kprop.M +Index: trunk/src/slave/kprop.M =================================================================== ---- krb5-1.6.3.orig/src/slave/kprop.M -+++ krb5-1.6.3/src/slave/kprop.M +--- trunk.orig/src/slave/kprop.M ++++ trunk/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created @@ -215,11 +211,11 @@ Index: krb5-1.6.3/src/slave/kprop.M .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the -Index: krb5-1.6.3/src/slave/kpropd.M +Index: trunk/src/slave/kpropd.M =================================================================== ---- krb5-1.6.3.orig/src/slave/kpropd.M -+++ krb5-1.6.3/src/slave/kpropd.M -@@ -69,7 +69,7 @@ Normally, kpropd is invoked out of +--- trunk.orig/src/slave/kpropd.M ++++ trunk/src/slave/kpropd.M +@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -228,7 +224,7 @@ Index: krb5-1.6.3/src/slave/kpropd.M However, kpropd can also run as a standalone deamon, if the .B \-S -@@ -87,13 +87,13 @@ is used. +@@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is KPROPD_DEFAULT_FILE @@ -244,9 +240,9 @@ Index: krb5-1.6.3/src/slave/kpropd.M .TP .B \-S turn on standalone mode. Normally, kpropd is invoked out of -@@ -124,14 +124,14 @@ mode. +@@ -148,14 +148,14 @@ mode. allows the user to specify the path to the - .KR kpropd.acl + kpropd.acl file; by default the path used is KPROPD_ACL_FILE -(normally /usr/local/var/krb5kdc/kpropd.acl). +(normally @manlocalstatedir@/krb5kdc/kpropd.acl). diff --git a/krb5-trunk-manpaths.txt b/krb5-1.7-manpaths.txt similarity index 93% rename from krb5-trunk-manpaths.txt rename to krb5-1.7-manpaths.txt index 69c0192..a85dcae 100644 --- a/krb5-trunk-manpaths.txt +++ b/krb5-1.7-manpaths.txt @@ -4,7 +4,6 @@ appl/bsd/login.M appl/bsd/rcp.M appl/bsd/rlogin.M appl/bsd/rsh.M -appl/bsd/v4rcp.M appl/gssftp/ftpd/ftpd.M appl/gssftp/ftp/ftp.M appl/sample/sclient/sclient.M @@ -30,10 +29,7 @@ kadmin/dbutil/kdb5_util.M kadmin/ktutil/ktutil.M kadmin/passwd/kpasswd.M kadmin/server/kadmind.M -kdc/fakeka.M kdc/krb5kdc.M -krb524/k524init.M -krb524/krb524d.M krb5-config.M plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M slave/kpropd.M diff --git a/krb5-1.7-rpmlintrc b/krb5-1.7-rpmlintrc new file mode 100644 index 0000000..aaee6d3 --- /dev/null +++ b/krb5-1.7-rpmlintrc @@ -0,0 +1,6 @@ +addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so") +addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz") +addFilter("files-duplicate .*css") +addFilter("files-duplicate .*img.*png") +addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") +addFilter("shlib-policy-missing-suffix") diff --git a/krb5-1.7.tar.bz2 b/krb5-1.7.tar.bz2 new file mode 100644 index 0000000..9efcda8 --- /dev/null +++ b/krb5-1.7.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd +size 10407001 diff --git a/krb5-doc-1.6.3-rpmlintrc b/krb5-doc-1.7-rpmlintrc similarity index 100% rename from krb5-doc-1.6.3-rpmlintrc rename to krb5-doc-1.7-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 244fa1c..7aeb8cb 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,19 @@ +------------------------------------------------------------------- +Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de + +- update to final version 1.7 + +------------------------------------------------------------------- +Wed May 13 11:34:07 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + +------------------------------------------------------------------- +Mon Feb 16 13:08:05 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * remove outdated documentation for kadm5 API + ------------------------------------------------------------------- Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index b3ac526..995087e 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.6.3) +# spec file for package krb5-doc (Version 1.7) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,20 +20,18 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.6.3 -Release: 133 -%define srcRoot krb5-1.6.3 +Version: 1.7 +Release: 4 +%define srcRoot krb5-1.7 Summary: MIT Kerberos5 Implementation--Documentation -License: X11/MIT +License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-1.6.3.tar.bz2 +Source: krb5-%{version}.tar.bz2 Source1: README.Source -Source2: Makefile.kadm5 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif -Patch2: krb5-1.6.3-post.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -56,8 +54,6 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 -%patch2 -cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile %build @@ -68,17 +64,13 @@ make make implementor.ps make -C api make -C implement -make -C kadm5 -cd api -latex2html -dir ../html/library -mkdir library.tex -latex2html -dir ../html/libdes -mkdir libdes.tex -cd ../implement -latex2html -dir ../html/implement -mkdir implement.tex -cd .. -#mv krb5-admin html/ -#mv krb5-install html/ -#mv krb5-user html/ -#mv krb425 html/ +#make -C kadm5 +#cd api +#latex2html -dir ../html/library -mkdir library.tex +#latex2html -dir ../html/libdes -mkdir libdes.tex +#cd ../implement +#latex2html -dir ../html/implement -mkdir implement.tex +#cd .. mv *.html html/ cd .. find . -type f -name '*.ps' -exec gzip -9 {} \; @@ -89,134 +81,34 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share -rm -f doc/html/*/WARNINGS -rm -f doc/html/*/images.aux -rm -f doc/html/*/labels.pl -# check for duplicate files and replace them with a link -cd doc/html/api-funcspec -if cmp --quiet api-funcspec.html index.html ; then - rm -f index.html - ln -s api-funcspec.html index.html -fi -cd ../library -if cmp --quiet library.html index.html ; then - rm -f index.html - ln -s library.html index.html -fi -cd ../api-server-design -if cmp --quiet api-server-design.html index.html ; then - rm -f index.html - ln -s api-server-design.html index.html -fi -cd ../adb-unit-test -if cmp --quiet adb-unit-test.html index.html ; then - rm -f index.html - ln -s adb-unit-test.html index.html -fi -cd ../api-unit-test -if cmp --quiet api-unit-test.html index.html ; then - rm -f index.html - ln -s api-unit-test.html index.html -fi -cd ../libdes -if cmp --quiet libdes.html index.html ; then - rm -f index.html - ln -s libdes.html index.html -fi -cd ../implement -if cmp --quiet implement.html index.html ; then - rm -f index.html - ln -s implement.html index.html -fi -cd ../.. +#rm -f doc/html/*/WARNINGS +#rm -f doc/html/*/images.aux +#rm -f doc/html/*/labels.pl +#### check for duplicate files and replace them with a link +#cd doc/html/library +#if cmp --quiet library.html index.html ; then +# rm -f index.html +# ln -s library.html index.html +#fi +#cd ../libdes +#if cmp --quiet libdes.html index.html ; then +# rm -f index.html +# ln -s libdes.html index.html +#fi +#cd ../implement +#if cmp --quiet implement.html index.html ; then +# rm -f index.html +# ln -s implement.html index.html +#fi +#cd ../.. %clean rm -rf %{buildroot} %files %defattr(-,root,root) -%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz doc/kadm5/*.ps.gz +%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz %doc doc/krb5-protocol doc/kadmin %doc doc/html %changelog -* Fri Jul 25 2008 mc@suse.de -- add patches from SVN post 1.6.3 - * some fixes in the man pages -* Wed Jun 18 2008 mc@suse.de -- reduce rpmlint warnings -* Tue Oct 23 2007 mc@suse.de -- update to krb5 version 1.6.3 - * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow - * fix CVE-2007-4000 modify_policy vulnerability - * Add PKINIT support -- remove patches which are upstream now -- enhance init scripts and xinetd profiles -* Thu Jul 12 2007 mc@suse.de -- update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release -* Wed Jun 13 2007 sschober@suse.de -- removed executable permission from doc file -* Mon Apr 23 2007 mc@suse.de -- update to final 1.6.1 version -- replace te_ams with texlive in BuildRequires -* Wed Apr 18 2007 mc@suse.de -- build implementor.ps -* Mon Apr 16 2007 mc@suse.de -- update to version 1.6.1 Beta1 -- remove obsolete patches - (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) -* Mon Feb 19 2007 mc@suse.de -- add krb5-1.6-post.dif -* Mon Jan 22 2007 mc@suse.de -- update to version 1.6 - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. -* Thu Aug 24 2006 mc@suse.de -- update to version 1.5.1 -- remove obsolete patches which are now included upstream - * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - * trunk-fix-uninitialized-vars.dif -* Mon Jul 03 2006 mc@suse.de -- update to version 1.5 - * KDB abstraction layer, donated by Novell. - * plug-in architecture, allowing for extension modules to be - loaded at run-time. - * multi-mechanism GSS-API implementation ("mechglue"), - donated by Sun Microsystems - * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") - implementation, donated by Sun Microsystems -- remove obsolete patches and add some new -* Mon Mar 13 2006 mc@suse.de -- set BuildArchitectures to noarch -- set norootforbuild -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Fri Nov 18 2005 mc@suse.de -- update to version 1.4.3 -- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif) -* Wed Oct 12 2005 mc@suse.de -- build kadm5 documentation -- build documentation also as html -- include the text only documentation -* Tue Oct 11 2005 mc@suse.de -- update to version 1.4.2 -- remove some obsolet patches -* Mon Jun 27 2005 mc@suse.de -- update to version 1.4.1 -- remove obsolet patches - - krb5-1.4-VUL-0-telnet.dif -* Thu Feb 10 2005 ro@suse.de -- added libpng to neededforbuild (for tetex) -* Fri Feb 04 2005 mc@suse.de -- remove spx.c from tarball because of legal risk -- add README.Source which tell the user about this - action. -* Fri Jan 28 2005 mc@suse.de -- update to version 1.4 -* Mon Jan 10 2005 mc@suse.de -- update to version 1.3.6 -* Tue Dec 14 2004 mc@suse.de -- initial release diff --git a/krb5-mini.changes b/krb5-mini.changes new file mode 100644 index 0000000..b8f2847 --- /dev/null +++ b/krb5-mini.changes @@ -0,0 +1,693 @@ +------------------------------------------------------------------- +Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de + +- update to final 1.7 release + +------------------------------------------------------------------- +Wed May 13 11:30:42 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + * Incremental propagation support for the KDC database. + * Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. + +------------------------------------------------------------------- +Mon Feb 16 13:04:26 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * Remove support for version 4 of the Kerberos protocol (krb4). + * New libdefaults configuration variable "allow_weak_crypto". + * Client library now follows client principal referrals, for + compatibility with Windows. + * KDC can issue realm referrals for service principals based on domain + names. + * Encryption algorithm negotiation (RFC 4537). + * In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + * DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + * NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + * KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. + * Master key rollover support. + +------------------------------------------------------------------- +Wed Jan 14 09:21:36 CET 2009 - olh@suse.de + +- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit + +------------------------------------------------------------------- +Thu Dec 11 14:12:57 CET 2008 - mc@suse.de + +- do not query IPv6 addresses if no IPv6 address exists on this host + [bnc#449143] + +------------------------------------------------------------------- +Wed Dec 10 12:34:56 CET 2008 - olh@suse.de + +- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade + (bnc#437293) + +------------------------------------------------------------------- +Thu Oct 30 12:34:56 CET 2008 - olh@suse.de + +- obsolete old -XXbit packages (bnc#437293) + +------------------------------------------------------------------- +Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de + +- in case we use ldap as database backend, ldap should be + started before krb5kdc + +------------------------------------------------------------------- +Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de + +- add new fixes to post 1.6.3 patch + * fix mem leak in krb5_gss_accept_sec_context() + * keep minor_status + * kadm5_decrypt_key: A ktype of -1 is documented as meaning + "to be ignored" + * Reject socket fds > FD_SETSIZE + +------------------------------------------------------------------- +Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de + +- add patches from SVN post 1.6.3 + * krb5_string_to_keysalts: Fix an infinite loop + * fix some mutex issues + * better recovery from corrupt rcache files + * some more small fixes + +------------------------------------------------------------------- +Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de + +- add case-insensitive.dif (FATE#300771) +- minor fixes for ktutil man page +- reduce rpmlint warnings + +------------------------------------------------------------------- +Wed May 14 17:44:59 CEST 2008 - mc@suse.de + +- Fall back to TCP on kdc-unresolvable/unreachable errors. +- restore valid sequence number before generating requests + (fix changing passwords in mixed ipv4/ipv6 enviroments) + +------------------------------------------------------------------- +Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de + +- added baselibs.conf file to build xxbit packages + for multilib support + +------------------------------------------------------------------- +Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de + +- modify krb5-config to not output rpath and cflags in --libs + (bnc#378270) + +------------------------------------------------------------------- +Fri Mar 14 11:27:55 CET 2008 - mc@suse.de + +- fix two security bugs: + * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) + fix double free [bnc#361373] + * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) + Memory corruption while too many open file descriptors + [bnc#363151] +- change default config file. Comment out the examples. + +------------------------------------------------------------------- +Fri Dec 14 10:48:52 CET 2007 - mc@suse.de + +- fix several security bugs: + * CVE-2007-5894 apparent uninit length + * CVE-2007-5902 integer overflow + * CVE-2007-5971 free of non-heap pointer and double-free + * CVE-2007-5972 double fclose() + [#346745, #346748, #346746, #346749, #346747] + +------------------------------------------------------------------- +Tue Dec 4 16:36:07 CET 2007 - mc@suse.de + +- improve GSSAPI error messages + +------------------------------------------------------------------- +Tue Nov 6 13:53:17 CET 2007 - mc@suse.de + +- add coreutils to PreReq + +------------------------------------------------------------------- +Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de + +- update to krb5 version 1.6.3 + * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow + * fix CVE-2007-4000 modify_policy vulnerability + * Add PKINIT support +- remove patches which are upstream now +- enhance init scripts and xinetd profiles + +------------------------------------------------------------------- +Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that + that the client library will not failover to the next KDC. + [#310540] + +------------------------------------------------------------------- +Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de + +- update krb5-1.6.2-post.dif + * new -S sname option for kvno + * read_entropy_from_device on partial read will not fill buffer + * Bail out if encoded "ticket" doesn't decode correctly. + * patch for referrals loop + +------------------------------------------------------------------- +Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de + +- fix a problem with the originally published patch + for MITKRB5-SA-2007-006 - CVE-2007-3999 + [#302377] + +------------------------------------------------------------------- +Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de + +- fix execute arbitrary code + (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) + [#302377] + +------------------------------------------------------------------- +Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + +------------------------------------------------------------------- +Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de + +- update to version 1.6.2 +- remove krb5-1.6.1-post.dif all fixes are included in this release + +------------------------------------------------------------------- +Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de + +- change requires to libcom_err-devel + +------------------------------------------------------------------- +Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de + +- update krb5-1.6.1-post.dif + * fix leak in krb5_walk_realm_tree + * rd_req_decoded needs to deal with referral realms + * fix buffer overflow in kadmind + (MITKRB5-SA-2007-005 - CVE-2007-2798) + [#278689] + * fix kadmind code execution bug + (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) + [#271191] + +------------------------------------------------------------------- +Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de + +- fix unstripped-binary-or-object rpmlint warning + +------------------------------------------------------------------- +Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de + +- fixing rpmlint warnings and errors: + * merged logrotate scripts kadmin and krb5kdc into a single file + krb5-server. + * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl + from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. + adapted krb5.spec and README.ConvertHeimdalMIT accordingly. + * added surpression filter for + "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" + (see [#147912]). + * set default runlevel of init scripts in chkconfig line to 3 and + 5 + +------------------------------------------------------------------- +Wed May 9 15:30:53 CEST 2007 - mc@suse.de + +- fix uninitialized salt length +- add extra check for keytab file + +------------------------------------------------------------------- +Thu May 3 12:11:29 CEST 2007 - mc@suse.de + +- adding krb5-1.6.1-post.dif + * fix segfault in krb5_get_init_creds_password + * remove debug output in ftp client + * profile stores empty string values without double quotes + +------------------------------------------------------------------- +Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de + +- update to final 1.6.1 version + +------------------------------------------------------------------- +Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de + +- add plugin directories to main package + +------------------------------------------------------------------- +Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de + +- update to version 1.6.1 Beta1 +- remove obsolete patches + (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) +- rework compile_pie patch + +------------------------------------------------------------------- +Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de + +- update krb5-1.6-post.dif + * fix kadmind stack overflow in krb5_klog_syslog + (MITKRB5-SA-2007-002 - CVE-2007-0957) + [#253548] + * fix double free attack in the RPC library + (MITKRB5-SA-2007-003 - CVE-2007-1216) + [#252487] + * fix krb5 telnetd login injection + (MIT-SA-2007-001 - CVE-2007-0956) + #247765 + +------------------------------------------------------------------- +Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de + +- add ncurses-devel and bison to BuildRequires +- rework some patches + +------------------------------------------------------------------- +Mon Mar 5 11:01:20 CET 2007 - mc@suse.de + +- move SuSEFirewall service definitions to + /etc/sysconfig/SuSEfirewall2.d/services + +------------------------------------------------------------------- +Thu Feb 22 11:13:48 CET 2007 - mc@suse.de + +- add firewall definition to krb5-server, FATE #300687 + +------------------------------------------------------------------- +Mon Feb 19 13:59:43 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif +- move some applications into the right package + +------------------------------------------------------------------- +Fri Feb 9 13:31:22 CET 2007 - mc@suse.de + +- update krb5-1.6-post.dif + +------------------------------------------------------------------- +Mon Jan 29 11:27:23 CET 2007 - mc@suse.de + +- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif + are now upstream. Remove patches. +- fix leak in krb5_kt_resolve and krb5_kt_wresolve + +------------------------------------------------------------------- +Tue Jan 23 17:21:12 CET 2007 - mc@suse.de + +- fix "local variable used before set" in ftp.c + [#237684] + +------------------------------------------------------------------- +Mon Jan 22 16:39:27 CET 2007 - mc@suse.de + +- krb5-devel should require keyutils-devel + +------------------------------------------------------------------- +Mon Jan 22 12:19:49 CET 2007 - mc@suse.de + +- update to version 1.6 + * Major changes in 1.6 include + * Partial client implementation to handle server name referrals. + * Pre-authentication plug-in framework, donated by Red Hat. + * LDAP KDB plug-in, donated by Novell. +- remove obsolete patches + +------------------------------------------------------------------- +Wed Jan 10 11:16:30 CET 2007 - mc@suse.de + +- fix for + kadmind (via RPC library) calls uninitialized function pointer + (CVE-2006-6143)(Bug #225990) + krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif +- fix for + kadmind (via GSS-API mechglue) frees uninitialized pointers + (CVE-2006-6144)(Bug #225992) + krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif + +------------------------------------------------------------------- +Tue Jan 2 14:53:33 CET 2007 - mc@suse.de + +- Fix Requires in krb5-devel + [Bug #231008] + +------------------------------------------------------------------- +Mon Nov 6 11:49:39 CET 2006 - mc@suse.de + +- fix "local variable used before set" [#217692] +- fix strncat warning + +------------------------------------------------------------------- +Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de + +- add a default kadm5.dict file +- require $network on daemon start + +------------------------------------------------------------------- +Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de + +- fix function call with too few arguments [#203837] + +------------------------------------------------------------------- +Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de + +- update to version 1.5.1 +- remove obsolete patches which are now included upstream + * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + * trunk-fix-uninitialized-vars.dif + +------------------------------------------------------------------- +Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de + +- krb5 setuid return check fixes + krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif + [#182351] + +------------------------------------------------------------------- +Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de + +- remove update-messages + +------------------------------------------------------------------- +Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de + +- add check for krb5_prop in services to kpropd init script. + [#192446] + +------------------------------------------------------------------- +Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de + +- update to version 1.5 + * KDB abstraction layer, donated by Novell. + * plug-in architecture, allowing for extension modules to be + loaded at run-time. + * multi-mechanism GSS-API implementation ("mechglue"), + donated by Sun Microsystems + * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") + implementation, donated by Sun Microsystems +- remove obsolete patches and add some new + +------------------------------------------------------------------- +Fri May 26 14:50:00 CEST 2006 - ro@suse.de + +- libcom is not in e2fsck-devel but in its own package now, change + Requires accordingly. + +------------------------------------------------------------------- +Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de + +- add all daemons to %stop_on_removal and %restart_on_update +- add reload to kpropd init script +- add force-reload to all init scripts + +------------------------------------------------------------------- +Mon Mar 13 18:20:36 CET 2006 - mc@suse.de + +- add libgssapi_krb5.so link to main package [#147912] + +------------------------------------------------------------------- +Fri Feb 3 18:17:01 CET 2006 - mc@suse.de + +- fix logging section for kadmind in convert script + +------------------------------------------------------------------- +Wed Jan 25 21:30:24 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Jan 13 14:44:24 CET 2006 - mc@suse.de + +- change the logging defaults + +------------------------------------------------------------------- +Wed Jan 11 12:59:08 CET 2006 - mc@suse.de + +- add tools and README for heimdal => MIT update + +------------------------------------------------------------------- +Mon Jan 9 14:41:07 CET 2006 - mc@suse.de + +- fix build problems, define _GNU_SOURCE + (krb5-1.4.3-set_gnu_source.dif ) + +------------------------------------------------------------------- +Tue Jan 3 16:00:13 CET 2006 - mc@suse.de + +- added "make %{?jobs:-j%jobs}" + +------------------------------------------------------------------- +Fri Nov 18 12:12:01 CET 2005 - mc@suse.de + +- update to version 1.4.3 + * some memmory leaks fixed + * fix for "AS_REP padata has wrong enctype" + * fix for "AS_REP padata missing PA-ETYPE-INFO" + * ... and more + +------------------------------------------------------------------- +Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de + +- don't build as root + +------------------------------------------------------------------- +Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de + +- update to version 1.4.2 +- remove some obsolet patches + +------------------------------------------------------------------- +Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de + +- build with --disable-static + +------------------------------------------------------------------- +Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de + +- remove devel-static subpackage + +------------------------------------------------------------------- +Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de + +- better patch for princ_comp problem + +------------------------------------------------------------------- +Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de + +- update to version 1.4.1 +- remove obsolet patches + - krb5-1.4-gcc4.dif + - krb5-1.4-reduce-namespace-polution.dif + - krb5-1.4-VUL-0-telnet.dif + +------------------------------------------------------------------- +Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de + +- fixed krb5 KDC heap corruption by random free + [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] +- fixed krb5 double free() + [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] +- fix krb5 NULL pointer reference while comparing principals + [#91600] + +------------------------------------------------------------------- +Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de + +- fix uninitialized variables +- compile with -fPIE/ link with -pie + +------------------------------------------------------------------- +Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de + +- fixed wrong xinetd files [#77149] + +------------------------------------------------------------------- +Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de + +- removed krb5-1.4-fix-error_tables.dif patch obsoleted + by libcom_err locking patches + +------------------------------------------------------------------- +Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de + +- fixed missing descriptions in init files + [#76164, #76165, #76166, #76169] + +------------------------------------------------------------------- +Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de + +- enhance $PATH via /etc/profile.d/ [#74018] +- remove the "links to important programs" + +------------------------------------------------------------------- +Fri Mar 18 11:09:43 CET 2005 - mc@suse.de + +- fixed not running converter script [#72854] + +------------------------------------------------------------------- +Thu Mar 17 14:15:17 CET 2005 - mc@suse.de + +- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer + Overflow +- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer + Overflow + [#73618] + +------------------------------------------------------------------- +Wed Mar 16 13:10:18 CET 2005 - mc@suse.de + +- fixed wrong PreReqs [#73020] + +------------------------------------------------------------------- +Tue Mar 15 19:54:58 CET 2005 - mc@suse.de + +- add a simple krb5.conf converter [#72854] + +------------------------------------------------------------------- +Mon Mar 14 17:08:59 CET 2005 - mc@suse.de + +- fixed: rckrb5kdc restart gives wrong status with non-running service + [#72446] + +------------------------------------------------------------------- +Thu Mar 10 10:48:07 CET 2005 - mc@suse.de + +- add requires: e2fsprogs-devel to krb5-devel package [#71732] + +------------------------------------------------------------------- +Fri Feb 25 17:35:37 CET 2005 - mc@suse.de + +- fix double free [#66534] + krb5-1.4-fix-error_tables.dif + +------------------------------------------------------------------- +Fri Feb 11 14:01:32 CET 2005 - mc@suse.de + +- change mode for shared libraries to 755 + +------------------------------------------------------------------- +Fri Feb 4 16:48:16 CET 2005 - mc@suse.de + +- remove spx.c from tarball because of legal risk +- add README.Source which tell the user about this + action. +- add a check for spx.c in the spec-file +- use rich-text for update-messages [#50250] + +------------------------------------------------------------------- +Tue Feb 1 12:13:45 CET 2005 - mc@suse.de + +- add krb5-1.4-reduce-namespace-polution.dif + reduce namespace polution in gssapi.h [#50356] + +------------------------------------------------------------------- +Fri Jan 28 13:25:42 CET 2005 - mc@suse.de + +- update to version 1.4 +- Add implementation of the RPCSEC_GSS authentication flavor to the + RPC library. +- Thread safety for krb5 libraries. +- Merged Athena telnetd changes for creating a new option for + requiring encryption. +- The kadmind4 backwards-compatibility admin server and the v5passwdd + backwards-compatibility password-changing server have been removed. +- Yarrow code now uses AES. +- Merged Athena changes to allow ftpd to require encrypted passwords. +- Incorporate gss_krb5_set_allowable_enctypes() and + gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. +- remove obsolet patches + +------------------------------------------------------------------- +Mon Jan 17 11:34:52 CET 2005 - mc@suse.de + +- add proofreaded update-messages + +------------------------------------------------------------------- +Fri Jan 14 14:38:25 CET 2005 - mc@suse.de + +- remove Conflicts: and add Provides: +- add some insserv stuff + +------------------------------------------------------------------- +Thu Jan 13 11:54:01 CET 2005 - mc@suse.de + +- move vendor files to vendor-files.tar.bz2 +- add obsoletes: heimdal +- add %pre and %post sections to detect update + from heimdal and backup invalid configuration files +- add update-messages for heimdal update + +------------------------------------------------------------------- +Mon Jan 10 12:18:02 CET 2005 - mc@suse.de + +- update to version 1.3.6 +- fix for: heap buffer overflow in libkadm5srv + [CAN-2004-1189 / MITKRB5-SA-2004-004] + +------------------------------------------------------------------- +Tue Dec 14 15:30:23 CET 2004 - mc@suse.de + +- build doc subpackage in an own specfile +- removed unnecessary neededforbuild requirements + +------------------------------------------------------------------- +Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de + +- fix build with gcc 4 + +------------------------------------------------------------------- +Mon Nov 15 17:25:56 CET 2004 - mc@suse.de + +- added Conflicts with heimdal* +- rename some manpages to avoid conflicts + +------------------------------------------------------------------- +Thu Nov 4 18:03:11 CET 2004 - mc@suse.de + +- new init scripts +- fix logrotate scripts +- add some 64Bit fixes +- add default krb5.conf, kdc.conf and kadm5.acl + +------------------------------------------------------------------- +Wed Nov 3 18:52:07 CET 2004 - mc@suse.de + +- add e2fsprogs to NFB +- use system-et and system-ss +- fix includes of com_err.h + +------------------------------------------------------------------- +Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de + +- Initital checkin + diff --git a/krb5-mini.spec b/krb5-mini.spec new file mode 100644 index 0000000..ed651d8 --- /dev/null +++ b/krb5-mini.spec @@ -0,0 +1,686 @@ +# +# spec file for package krb5-mini (Version 1.7) +# +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + +%define build_mini 1 +%define srcRoot krb5-1.7 +%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ +%define krb5docdir %{_defaultdocdir}/krb5 + +Name: krb5-mini +License: MIT License (or similar) +Url: http://web.mit.edu/kerberos/www/ +BuildRequires: bison libcom_err-devel ncurses-devel +BuildRequires: keyutils keyutils-devel +Version: 1.7 +Release: 4 +%if ! 0%{?build_mini} +BuildRequires: libopenssl-devel openldap2-devel +# bug437293 +%ifarch ppc64 +Obsoletes: krb5-64bit +%endif +# +Summary: MIT Kerberos5 Implementation--Libraries +Group: Productivity/Networking/Security +%else +Summary: MIT Kerberos5 Implementation--Libraries +Group: Productivity/Networking/Security +%endif +Source: krb5-1.7.tar.bz2 +Source1: vendor-files.tar.bz2 +Source2: README.Source +Source3: spx.c +Source5: krb5-%{version}-rpmlintrc +Source10: krb5-1.7-manpaths.txt +Patch2: krb5-1.6.1-compile_pie.dif +Patch20: krb5-1.6.3-kprop-use-mkstemp.dif +Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif +Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif +Patch30: krb5-1.7-manpaths.dif +Patch32: krb5-1.4.3-enospc.dif +Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch41: krb5-1.6.3-kpasswd_tcp.patch +Patch44: krb5-1.6.3-ktutil-manpage.dif +Patch46: krb5-1.6.3-fix-ipv6-query.dif +BuildRoot: %{_tmppath}/%{name}-%{version}-build +PreReq: mktemp, grep, /bin/touch, coreutils +PreReq: %insserv_prereq %fillup_prereq + +%description +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of clear text passwords. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%if ! %{build_mini} + +%package client +License: MIT License (or similar) +Summary: MIT Kerberos5 implementation - client programs +Group: Productivity/Networking/Security + +%description client +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some required +client programs, like kinit, kadmin, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package server +License: MIT License (or similar) +Summary: MIT Kerberos5 implementation - server +Group: Productivity/Networking/Security +Requires: perl-Date-Calc +Requires: logrotate cron +PreReq: %insserv_prereq %fillup_prereq + +%description server +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes the kdc, kadmind +and more. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-servers +License: MIT License (or similar) +Summary: MIT Kerberos5 server applications +Group: Productivity/Networking/Security + +%description apps-servers +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible server applications like ftpd, klogind, telnetd, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package apps-clients +License: MIT License (or similar) +Summary: MIT Kerberos5 client applications +Group: Productivity/Networking/Security + +%description apps-clients +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes some kerberos +compatible client applications like ftp, rpc, rlogin, telnet, ... + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package plugin-kdb-ldap +License: MIT License (or similar) +Summary: MIT Kerberos5 Implementation--LDAP Database Plugin +Group: Productivity/Networking/Security +Requires: krb5-server = %{version} + +%description plugin-kdb-ldap +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of clear text passwords. This package contains the LDAP +database plugin. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package plugin-preauth-pkinit +License: MIT License (or similar) +Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-pkinit +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a PKINIT plugin. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%endif #! build_mini + +%package devel +License: MIT License (or similar) +Summary: MIT Kerberos5 - Include Files and Libraries +Group: Development/Libraries/C and C++ +PreReq: %{name} = %{version} +Requires: libcom_err-devel +Requires: keyutils-devel +# bug437293 +%ifarch ppc64 +Obsoletes: krb5-devel-64bit +%endif +%if %{build_mini} +Provides: krb5-devel = %{version} +%endif +# + +%description devel +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes Libraries and +Include Files for Development + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%prep +%setup -q -n %{srcRoot} +%setup -a 1 -T -D -n %{srcRoot} +if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] +then + echo "spx.c contains potential legal risks." + exit 1; +else + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c +fi +%patch2 +%patch20 +%patch21 +%patch22 +%patch30 -p1 +%patch32 -p1 +%patch34 -p1 +%patch41 +%patch44 -p1 +%patch46 -p1 +# Rename the man pages so that they'll get generated correctly. +pushd src +cat %{SOURCE10} | while read manpage ; do + mv "$manpage" "$manpage".in +done +popd + +%build +cd src +%{?suse_update_config:%{suse_update_config -f}} +./util/reconf +CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \ +./configure \ + --prefix=/usr/lib/mit \ + --sysconfdir=%{_sysconfdir} \ + --mandir=%{_mandir} \ + --infodir=%{_infodir} \ + --libexecdir=/usr/lib/mit/sbin \ + --libdir=%{_libdir} \ + --includedir=%{_includedir} \ + --localstatedir=%{_localstatedir}/lib/kerberos \ + --enable-shared \ + --disable-static \ + --enable-kdc-replay-cache \ + --enable-dns-for-realm \ + --disable-rpath \ +%if ! %{build_mini} + --with-ldap \ +%else + --disable-pkinit \ +%endif + --with-system-et \ + --with-system-ss +make %{?jobs:-j%jobs} + +%install +cd src +make DESTDIR=%{buildroot} install +cd .. +# Munge the krb5-config script to remove rpaths and CFLAGS. +sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config +# install sample config files +# I'll probably do something about this later on +mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc +mkdir -p %{buildroot}%{_sysconfdir} +mkdir -p %{buildroot}/etc/profile.d/ +mkdir -p %{buildroot}/var/log/krb5 +mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/ +# create plugin directories +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth +mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5 +install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir} +install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ +install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/ +install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh +install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh +install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc +install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind +for n in ftpd.8 telnetd.8; do + mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} +done +for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do + mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} +done +# all libs must have permissions 0755 +for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` +do + chmod 0755 ${lib} +done +# and binaries too +chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu +# install init scripts +mkdir -p %{buildroot}%{_sysconfdir}/init.d +install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind +install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc +install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd +# install xinetd files +mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d +install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin +install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin +install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet +install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell +# install logrotate files +mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server +find . -type f -name '*.ps' -exec gzip -9 {} \; +# create rc* links +mkdir -p %{buildroot}/usr/bin/ +ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind +ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc +ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd +# create links for kinit and klist, because of the java ones +ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit +ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist +# install doc +install -d -m 755 %{buildroot}/%{krb5docdir} +install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README +%if ! %{build_mini} +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif +%endif +# cleanup +rm -f %{buildroot}/usr/share/man/man1/tmac.doc* +rm -f /usr/share/man/man1/tmac.doc* +rm -rf /usr/lib/mit/share +rm -rf %{buildroot}/usr/lib/mit/share +##################################################### +# krb5-mini-devel pre/post/postun +##################################################### +%if %{build_mini} + +%preun +%stop_on_removal krb5kdc kadmind kpropd + +%postun +/sbin/ldconfig +%restart_on_update krb5kdc kadmind kpropd +%{insserv_cleanup} + +%post -p /sbin/ldconfig +%else +##################################################### +# krb5 pre/post/postun +##################################################### + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%preun server +##################################################### +# krb5-server preun/postun +##################################################### +%stop_on_removal krb5kdc kadmind kpropd + +%postun server +%restart_on_update krb5kdc kadmind kpropd +%{insserv_cleanup} +##################################################### +# krb5-plugin-kdb-ldap post/postun +##################################################### + +%post plugin-kdb-ldap -p /sbin/ldconfig + +%postun plugin-kdb-ldap -p /sbin/ldconfig +%endif + +%clean +rm -rf %{buildroot} +######################################################## +# files sections +######################################################## + +%files devel +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +%dir /usr/lib/mit/sbin +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_includedir}/* +/usr/lib/mit/bin/krb5-config +/usr/lib/mit/sbin/krb5-send-pr +%{_mandir}/man1/krb5-send-pr.1* +%{_mandir}/man1/krb5-config.1* +%if %{build_mini} + +%files +%defattr(-,root,root) +%dir %{krb5docdir} +# add directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +%dir %{_localstatedir}/lib/kerberos/ +%dir %{_localstatedir}/lib/kerberos/krb5kdc +%attr(0700,root,root) %dir /var/log/krb5 +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +%dir /usr/lib/mit/bin +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%attr(0644,root,root) %config /etc/profile.d/krb5* +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* +%{_sysconfdir}/init.d/* +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/krb5/plugins/kdb/* +%{_libdir}/krb5/plugins/preauth/* +#/usr/lib/mit/sbin/* +/usr/lib/mit/sbin/kadmin.local +/usr/lib/mit/sbin/kadmind +/usr/lib/mit/sbin/kpropd +/usr/lib/mit/sbin/kproplog +/usr/lib/mit/sbin/kprop +/usr/lib/mit/sbin/kdb5_util +/usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +/usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/kvno +/usr/lib/mit/bin/kinit +/usr/lib/mit/bin/kdestroy +/usr/lib/mit/bin/kpasswd +/usr/lib/mit/bin/klist +/usr/lib/mit/bin/kadmin +/usr/lib/mit/bin/ktutil +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* +/usr/bin/kinit +/usr/bin/klist +/usr/bin/rc* +#%{_mandir}/man1/* +%{_mandir}/man1/kvno.1* +%{_mandir}/man1/kinit.1* +%{_mandir}/man1/kdestroy.1* +%{_mandir}/man1/kpasswd.1* +%{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* +%{_mandir}/man1/kadmin.1* +%{_mandir}/man1/ktutil.1* +%{_mandir}/man1/k5srvutil.1* +%{_mandir}/man5/* +%{_mandir}/man5/.k5login.5.gz +%{_mandir}/man8/* +%else + +%files +%defattr(-,root,root) +%dir %{krb5docdir} +# add plugin directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +# add log directory +%attr(0700,root,root) %dir /var/log/krb5 +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%attr(0644,root,root) %config /etc/profile.d/krb5* +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so + +%files server +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%{_sysconfdir}/init.d/kadmind +%{_sysconfdir}/init.d/krb5kdc +%{_sysconfdir}/init.d/kpropd +%dir %{krb5docdir} +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +%dir %{_localstatedir}/lib/kerberos/ +%dir %{_localstatedir}/lib/kerberos/krb5kdc +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* +/usr/bin/rc* +/usr/lib/mit/sbin/kadmin.local +/usr/lib/mit/sbin/kadmind +/usr/lib/mit/sbin/kpropd +/usr/lib/mit/sbin/kproplog +/usr/lib/mit/sbin/kprop +/usr/lib/mit/sbin/kdb5_util +/usr/lib/mit/sbin/krb5kdc +%{_libdir}/krb5/plugins/kdb/db2.so +%{_mandir}/man5/kdc.conf.5* +%{_mandir}/man8/kadmind.8* +%{_mandir}/man8/kadmin.local.8* +%{_mandir}/man8/kpropd.8* +%{_mandir}/man8/kprop.8* +%{_mandir}/man8/kproplog.8.gz +%{_mandir}/man8/kdb5_util.8* +%{_mandir}/man8/krb5kdc.8* + +%files client +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +%dir /usr/lib/mit/sbin +/usr/lib/mit/bin/kvno +/usr/lib/mit/bin/kinit +/usr/lib/mit/bin/kdestroy +/usr/lib/mit/bin/kpasswd +/usr/lib/mit/bin/klist +/usr/lib/mit/bin/kadmin +/usr/lib/mit/bin/ktutil +/usr/lib/mit/bin/k5srvutil +/usr/bin/kinit +/usr/bin/klist +%{_mandir}/man1/kvno.1* +%{_mandir}/man1/kinit.1* +%{_mandir}/man1/kdestroy.1* +%{_mandir}/man1/kpasswd.1* +%{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kadmin.1* +%{_mandir}/man1/ktutil.1* +%{_mandir}/man1/k5srvutil.1* +%{_mandir}/man5/krb5.conf.5* +%{_mandir}/man5/.k5login.5* + +%files apps-servers +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +%{_mandir}/man8/kftpd.8* +%{_mandir}/man8/klogind.8* +%{_mandir}/man8/kshd.8* +%{_mandir}/man8/ktelnetd.8* +%{_mandir}/man8/sserver.8* +%{_mandir}/man8/login.krb5.8* + +%files apps-clients +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +# removed SUID bit, we will rely on su + pam_krb +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* + +%files plugin-kdb-ldap +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir /usr/lib/mit/sbin/ +%dir %{krb5docdir} +%doc %{krb5docdir}/kerberos.schema +%doc %{krb5docdir}/kerberos.ldif +%{_libdir}/krb5/plugins/kdb/kldap.so +/usr/lib/mit/sbin/kdb5_ldap_util +%{_libdir}/libkdb_ldap* +%{_mandir}/man8/kdb5_ldap_util.8* + +%files plugin-preauth-pkinit +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so +%endif #build_mini + +%changelog diff --git a/krb5-plugins-1.6.3-rpmlintrc b/krb5-plugins-1.6.3-rpmlintrc deleted file mode 100644 index 52ffcc3..0000000 --- a/krb5-plugins-1.6.3-rpmlintrc +++ /dev/null @@ -1,2 +0,0 @@ -addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so") -addFilter("shlib-policy-missing-suffix") diff --git a/krb5-plugins.changes b/krb5-plugins.changes deleted file mode 100644 index f5a3046..0000000 --- a/krb5-plugins.changes +++ /dev/null @@ -1,177 +0,0 @@ -------------------------------------------------------------------- -Fri Jul 25 12:17:44 CEST 2008 - mc@suse.de - -- add patches from SVN post 1.6.3 - * krb5_string_to_keysalts: Fix an infinite loop - * fix some mutex issues - * better recovery from corrupt rcache files - * some more small fixes - -------------------------------------------------------------------- -Wed Jun 18 15:33:18 CEST 2008 - mc@suse.de - -- reduce rpmlint warnings - -------------------------------------------------------------------- -Tue Dec 4 16:36:43 CET 2007 - mc@suse.de - -- improve GSSAPI error messages - -------------------------------------------------------------------- -Tue Oct 23 10:29:14 CEST 2007 - mc@suse.de - -- update to krb5 version 1.6.3 - * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow - * fix CVE-2007-4000 modify_policy vulnerability - * Add PKINIT support -- remove patches which are upstream now -- enhance init scripts and xinetd profiles - -------------------------------------------------------------------- -Fri Sep 14 12:10:01 CEST 2007 - mc@suse.de - -- update krb5-1.6.2-post.dif - * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that - that the client library will not failover to the next KDC. - [#310540] - -------------------------------------------------------------------- -Tue Sep 11 15:11:34 CEST 2007 - mc@suse.de - -- update krb5-1.6.2-post.dif - * new -S sname option for kvno - * read_entropy_from_device on partial read will not fill buffer - * Bail out if encoded "ticket" doesn't decode correctly. - * patch for referrals loop - -------------------------------------------------------------------- -Thu Sep 6 10:43:50 CEST 2007 - mc@suse.de - -- fix a problem with the originally published patch - for MITKRB5-SA-2007-006 - CVE-2007-3999 - [#302377] - -------------------------------------------------------------------- -Wed Sep 5 12:18:38 CEST 2007 - mc@suse.de - -- fix execute arbitrary code - (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) - [#302377] - -------------------------------------------------------------------- -Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de - -- add krb5-1.6.2-post.dif - * during the referrals loop, check to see if the - session key enctype of a returned credential for the final - service is among the enctypes explicitly selected by the - application, and retry with old_use_conf_ktypes if it is not. - * If mkstemp() is available, the new ccache file gets created but - the subsequent open(O_CREAT|O_EXCL) call fails because the file - was already created by mkstemp(). Apply patch from Apple to keep - the file descriptor open. - -------------------------------------------------------------------- -Thu Jul 12 17:02:19 CEST 2007 - mc@suse.de - -- update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release - -------------------------------------------------------------------- -Mon Jul 2 11:39:54 CEST 2007 - mc@suse.de - -- update krb5-1.6.1-post.dif - * fix leak in krb5_walk_realm_tree - * rd_req_decoded needs to deal with referral realms - * fix buffer overflow in kadmind - (MITKRB5-SA-2007-005 - CVE-2007-2798) - [#278689] - * fix kadmind code execution bug - (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) - [#271191] - -------------------------------------------------------------------- -Wed May 9 15:31:08 CEST 2007 - mc@suse.de - -- fix uninitialized salt length -- add extra check for keytab file - -------------------------------------------------------------------- -Thu May 3 12:13:35 CEST 2007 - mc@suse.de - -- adding krb5-1.6.1-post.dif - * fix segfault in krb5_get_init_creds_password - * remove debug output in ftp client - * profile stores empty string values without double quotes - -------------------------------------------------------------------- -Mon Apr 23 11:17:04 CEST 2007 - mc@suse.de - -- update to final 1.6.1 version - -------------------------------------------------------------------- -Mon Apr 16 14:39:58 CEST 2007 - mc@suse.de - -- update to version 1.6.1 Beta1 -- remove obsolete patches - (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) -- rework compile_pie patch - -------------------------------------------------------------------- -Wed Apr 11 10:59:20 CEST 2007 - mc@suse.de - -- update krb5-1.6-post.dif - * fix kadmind stack overflow in krb5_klog_syslog - (MITKRB5-SA-2007-002 - CVE-2007-0957) - [#253548] - * fix double free attack in the RPC library - (MITKRB5-SA-2007-003 - CVE-2007-1216) - [#252487] - * fix krb5 telnetd login injection - (MIT-SA-2007-001 - CVE-2007-0956) - #247765 - -------------------------------------------------------------------- -Thu Mar 29 12:42:51 CEST 2007 - mc@suse.de - -- add ncurses-devel and bison to BuildRequires -- rework some patches - -------------------------------------------------------------------- -Mon Feb 19 14:00:34 CET 2007 - mc@suse.de - -- update krb5-1.6-post.dif - -------------------------------------------------------------------- -Fri Feb 9 13:31:54 CET 2007 - mc@suse.de - -- update krb5-1.6-post.dif - -------------------------------------------------------------------- -Mon Jan 29 17:47:22 CET 2007 - ro@suse.de - -- no main package, no debuginfo - -------------------------------------------------------------------- -Mon Jan 29 11:30:35 CET 2007 - mc@suse.de - -- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif - are now upstream. Remove patches. -- fix leak in krb5_kt_resolve and krb5_kt_wresolve - -------------------------------------------------------------------- -Tue Jan 23 17:21:53 CET 2007 - mc@suse.de - -- fix "local variable used before set" in ftp.c - [#237684] -- use less BuildRequires - -------------------------------------------------------------------- -Mon Jan 22 12:21:41 CET 2007 - mc@suse.de - -- initial release (version 1.6) - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. - diff --git a/krb5-plugins.spec b/krb5-plugins.spec deleted file mode 100644 index 37de0d7..0000000 --- a/krb5-plugins.spec +++ /dev/null @@ -1,392 +0,0 @@ -# -# spec file for package krb5-plugins (Version 1.6.3) -# -# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. -# -# All modifications and additions to the file contributed by third parties -# remain the property of their copyright owners, unless otherwise agreed -# upon. The license for this file, and modifications and additions to the -# file, is the same license as for the pristine package itself (unless the -# license for the pristine package is not an Open Source License, in which -# case the license is the MIT License). An "Open Source License" is a -# license that conforms to the Open Source Definition (Version 1.9) -# published by the Open Source Initiative. - -# Please submit bugfixes or comments via http://bugs.opensuse.org/ -# - -# norootforbuild -# nodebuginfo - - -Name: krb5-plugins -Version: 1.6.3 -Release: 16 -BuildRequires: bison krb5-devel ncurses-devel openldap2-devel -%define srcRoot krb5-1.6.3 -%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ -%define krb5docdir %{_defaultdocdir}/krb5 -Requires: krb5-server -Summary: MIT Kerberos5 Implementation--Libraries -License: X11/MIT -Url: http://web.mit.edu/kerberos/www/ -Group: Productivity/Networking/Security -Source: krb5-1.6.3.tar.bz2 -Source1: vendor-files.tar.bz2 -Source2: README.Source -Source3: spx.c -Source4: EncryptWithMasterKey.c -Source5: %{name}-%{version}-rpmlintrc -Source10: krb5-trunk-manpaths.txt -Patch1: krb5-1.5.1-fix-too-few-arguments.dif -Patch2: krb5-1.6.1-compile_pie.dif -Patch3: krb5-1.4-fix-segfault.dif -Patch6: trunk-EncryptWithMasterKey.dif -Patch14: warning-fix-lib-crypto-des.dif -Patch15: warning-fix-lib-crypto-dk.dif -Patch16: warning-fix-lib-crypto.dif -Patch17: warning-fix-lib-crypto-enc_provider.dif -Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif -Patch20: kprop-use-mkstemp.dif -Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif -Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif -Patch24: krb5-1.5.1-fix-strncat-warning.dif -Patch25: krb5-1.6.1-init-salt-length.dif -Patch30: trunk-manpaths.dif -Patch31: krb5-1.6-ldap-man.dif -Patch32: krb5-1.4.3-enospc.dif -Patch33: krb5-1.3.3-rcp-markus.dif -Patch34: gssapi_improve_errormessages.dif -Patch35: krb5-1.6-fix-CVE-2007-5894.dif -Patch36: krb5-1.6-fix-CVE-2007-5902.dif -Patch37: krb5-1.6-fix-CVE-2007-5971.dif -Patch38: krb5-1.6-fix-CVE-2007-5972.dif -Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif -Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif -Patch41: krb5-trunk-kpasswd_tcp.patch -Patch42: krb5-trunk-seqnum.patch -Patch43: krb5-1.6.3-case-insensitive.dif -Patch44: krb5-1.6.3-ktutil-manpage.dif -Patch45: krb5-1.6.3-post.dif -Patch46: krb5-1.6.3-fix-ipv6-query.dif -BuildRoot: %{_tmppath}/%{name}-%{version}-build - -%description -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of clear text passwords. - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package -n krb5-plugin-kdb-ldap -Requires: krb5-server = %{version} -Summary: MIT Kerberos5 Implementation--LDAP Database Plugin -License: X11/MIT -Url: http://web.mit.edu/kerberos/www/ -Group: Productivity/Networking/Security - -%description -n krb5-plugin-kdb-ldap -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of clear text passwords. This package contains the LDAP -database plugin. - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package -n krb5-plugin-preauth-pkinit -License: X11/MIT -Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin -Group: Productivity/Networking/Security -Conflicts: krb5-plugin-preauth-pkinit-nss - -%description -n krb5-plugin-preauth-pkinit -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes a PKINIT plugin. - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%prep -%setup -q -n %{srcRoot} -%setup -a 1 -T -D -n %{srcRoot} -if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] -then - echo "spx.c contains potential legal risks." - exit 1; -else - cp %{_sourcedir}/spx.c %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c -fi -%patch1 -%patch2 -%patch3 -%patch6 -%patch14 -%patch15 -%patch16 -%patch17 -%patch18 -%patch20 -%patch21 -%patch22 -%patch24 -%patch25 -%patch30 -p1 -%patch31 -%patch32 -p1 -%patch33 -p1 -%patch34 -p1 -%patch35 -%patch36 -%patch37 -%patch38 -%patch39 -p1 -%patch40 -%patch41 -%patch42 -%patch43 -%patch44 -p1 -%patch45 -%patch46 -p1 -cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c -# Rename the man pages so that they'll get generated correctly. -pushd src -cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do - mv "$manpage" "$manpage".in -done -popd - -%build -cd src -%{?suse_update_config:%{suse_update_config -f}} -./util/reconf -CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -I/usr/include -I%{_builddir}/%{srcRoot}/src/lib/ -fno-strict-aliasing -D_GNU_SOURCE -D__CI_PRINC__ -fPIC " \ -./configure \ - --prefix=/usr/lib/mit \ - --sysconfdir=%{_sysconfdir} \ - --mandir=%{_mandir} \ - --infodir=%{_infodir} \ - --libexecdir=/usr/lib/mit/sbin \ - --libdir=%{_libdir} \ - --includedir=%{_includedir} \ - --localstatedir=%{_localstatedir}/lib/kerberos \ - --enable-shared \ - --disable-static \ - --enable-kdc-replay-cache \ - --enable-dns-for-realm \ - --with-ldap \ - --with-system-et \ - --with-system-ss -cd util/profile -make install-headers-unix -cd ../../include -make -cd ../lib/kadm5 -make includes -cd ../gssapi/generic -make gssapi-include -ln -s %{_libdir}/libgssrpc.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libgssapi_krb5.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libk5crypto.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libkrb5support.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libkrb5.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libkadm5srv.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libkdb5.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libkrb4.so %{_builddir}/%{srcRoot}/src/lib/ -ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/ -cd ../../../kadmin/cli -make getdate.o -cd ../../plugins/kdb/ldap/ -make %{?jobs:-j%jobs} -cd ../../preauth/pkinit/ -make %{?jobs:-j%jobs} -#make check - -%install -mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb -mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth -mkdir -p %{buildroot}/%{krb5docdir} -mkdir -p %{buildroot}/usr/lib/mit/sbin/ -mkdir -p %{buildroot}/%{_mandir}/man8/ -cd src/plugins/kdb/ldap/ -make DESTDIR=%{buildroot} install -cd ../../preauth/pkinit/ -make DESTDIR=%{buildroot} install -# all libs must have permissions 0755 -for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` -do - chmod 0755 ${lib} -done -install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema -install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif -# cleanup -rm -f %{buildroot}/usr/share/man/man1/tmac.doc* -rm -f /usr/share/man/man1/tmac.doc* -rm -rf /usr/lib/mit/share -rm -rf %{buildroot}/usr/lib/mit/share -##################################################### -# krb5 pre/post/postun -##################################################### - -%post -n krb5-plugin-kdb-ldap -/sbin/ldconfig - -%postun -n krb5-plugin-kdb-ldap -/sbin/ldconfig - -%clean -rm -rf %{buildroot} -######################################################## -# files sections -######################################################## - -%files -n krb5-plugin-kdb-ldap -%defattr(-,root,root) -%dir %{_libdir}/krb5 -%dir %{_libdir}/krb5/plugins -%dir %{_libdir}/krb5/plugins/kdb -%dir /usr/lib/mit/sbin/ -%dir %{krb5docdir} -%doc %{krb5docdir}/kerberos.schema -%doc %{krb5docdir}/kerberos.ldif -%{_libdir}/krb5/plugins/kdb/*.so -/usr/lib/mit/sbin/* -%{_libdir}/libkdb_ldap* -%{_mandir}/man8/* - -%files -n krb5-plugin-preauth-pkinit -%defattr(-,root,root) -%dir %{_libdir}/krb5 -%dir %{_libdir}/krb5/plugins -%dir %{_libdir}/krb5/plugins/preauth -%{_libdir}/krb5/plugins/preauth/pkinit.so - -%changelog -* Fri Jul 25 2008 mc@suse.de -- add patches from SVN post 1.6.3 - * krb5_string_to_keysalts: Fix an infinite loop - * fix some mutex issues - * better recovery from corrupt rcache files - * some more small fixes -* Wed Jun 18 2008 mc@suse.de -- reduce rpmlint warnings -* Tue Dec 04 2007 mc@suse.de -- improve GSSAPI error messages -* Tue Oct 23 2007 mc@suse.de -- update to krb5 version 1.6.3 - * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow - * fix CVE-2007-4000 modify_policy vulnerability - * Add PKINIT support -- remove patches which are upstream now -- enhance init scripts and xinetd profiles -* Fri Sep 14 2007 mc@suse.de -- update krb5-1.6.2-post.dif - * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that - that the client library will not failover to the next KDC. - [#310540] -* Tue Sep 11 2007 mc@suse.de -- update krb5-1.6.2-post.dif - * new -S sname option for kvno - * read_entropy_from_device on partial read will not fill buffer - * Bail out if encoded "ticket" doesn't decode correctly. - * patch for referrals loop -* Thu Sep 06 2007 mc@suse.de -- fix a problem with the originally published patch - for MITKRB5-SA-2007-006 - CVE-2007-3999 - [#302377] -* Wed Sep 05 2007 mc@suse.de -- fix execute arbitrary code - (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) - [#302377] -* Tue Aug 07 2007 mc@suse.de -- add krb5-1.6.2-post.dif - * during the referrals loop, check to see if the - session key enctype of a returned credential for the final - service is among the enctypes explicitly selected by the - application, and retry with old_use_conf_ktypes if it is not. - * If mkstemp() is available, the new ccache file gets created but - the subsequent open(O_CREAT|O_EXCL) call fails because the file - was already created by mkstemp(). Apply patch from Apple to keep - the file descriptor open. -* Thu Jul 12 2007 mc@suse.de -- update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release -* Mon Jul 02 2007 mc@suse.de -- update krb5-1.6.1-post.dif - * fix leak in krb5_walk_realm_tree - * rd_req_decoded needs to deal with referral realms - * fix buffer overflow in kadmind - (MITKRB5-SA-2007-005 - CVE-2007-2798) - [#278689] - * fix kadmind code execution bug - (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) - [#271191] -* Wed May 09 2007 mc@suse.de -- fix uninitialized salt length -- add extra check for keytab file -* Thu May 03 2007 mc@suse.de -- adding krb5-1.6.1-post.dif - * fix segfault in krb5_get_init_creds_password - * remove debug output in ftp client - * profile stores empty string values without double quotes -* Mon Apr 23 2007 mc@suse.de -- update to final 1.6.1 version -* Mon Apr 16 2007 mc@suse.de -- update to version 1.6.1 Beta1 -- remove obsolete patches - (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) -- rework compile_pie patch -* Wed Apr 11 2007 mc@suse.de -- update krb5-1.6-post.dif - * fix kadmind stack overflow in krb5_klog_syslog - (MITKRB5-SA-2007-002 - CVE-2007-0957) - [#253548] - * fix double free attack in the RPC library - (MITKRB5-SA-2007-003 - CVE-2007-1216) - [#252487] - * fix krb5 telnetd login injection - (MIT-SA-2007-001 - CVE-2007-0956) - [#247765] -* Thu Mar 29 2007 mc@suse.de -- add ncurses-devel and bison to BuildRequires -- rework some patches -* Mon Feb 19 2007 mc@suse.de -- update krb5-1.6-post.dif -* Fri Feb 09 2007 mc@suse.de -- update krb5-1.6-post.dif -* Mon Jan 29 2007 ro@suse.de -- no main package, no debuginfo -* Mon Jan 29 2007 mc@suse.de -- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif - are now upstream. Remove patches. -- fix leak in krb5_kt_resolve and krb5_kt_wresolve -* Tue Jan 23 2007 mc@suse.de -- fix "local variable used before set" in ftp.c - [#237684] -- use less BuildRequires -* Mon Jan 22 2007 mc@suse.de -- initial release (version 1.6) - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. diff --git a/krb5-trunk-seqnum.patch b/krb5-trunk-seqnum.patch deleted file mode 100644 index 31a7121..0000000 --- a/krb5-trunk-seqnum.patch +++ /dev/null @@ -1,49 +0,0 @@ -Every KRB-PRIV message we generate to include as part of a password change -request we create (after the first one) will include sequence numbers which -look "wrong" to the recipient, because previously generating other KRB-PRIV -messages will mess with the counters in the auth_context. Because the -current code attempts to reuse auth_context structures (and changing that -would be more invasive), we'll just save the sequence number values as they -are after we build the AP-REQ, and restore them before generating requests. -RT#5867. - -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c (revision 20195) -+++ src/lib/krb5/os/changepw.c (working copy) -@@ -34,6 +34,7 @@ - #include "k5-int.h" - #include "os-proto.h" - #include "cm.h" -+#include "../krb/auth_con.h" - - #include - #include -@@ -48,6 +49,7 @@ - krb5_principal set_password_for; - char *newpw; - krb5_data ap_req; -+ krb5_ui_4 remote_seq_num, local_seq_num; - }; - - -@@ -159,6 +161,9 @@ - &local_kaddr, NULL))) - goto cleanup; - -+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num; -+ ctx->auth_context->local_seq_number = ctx->local_seq_num; -+ - if (ctx->set_password_for) - code = krb5int_mk_setpw_req(ctx->context, - ctx->auth_context, -@@ -225,6 +230,9 @@ - &callback_ctx.ap_req))) - goto cleanup; - -+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number; -+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number; -+ - do { - if ((code = krb5_locate_kpasswd(callback_ctx.context, - krb5_princ_realm(callback_ctx.context, diff --git a/krb5.changes b/krb5.changes index 2e02c10..b8f2847 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,3 +1,44 @@ +------------------------------------------------------------------- +Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de + +- update to final 1.7 release + +------------------------------------------------------------------- +Wed May 13 11:30:42 CEST 2009 - mc@suse.de + +- update to version 1.7 Beta2 + * Incremental propagation support for the KDC database. + * Flexible Authentication Secure Tunneling (FAST), a preauthentiation + framework that can protect the AS exchange from dictionary attack. + * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. + * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- + various vulnerabilities in SPNEGO and ASN.1 code. + +------------------------------------------------------------------- +Mon Feb 16 13:04:26 CET 2009 - mc@suse.de + +- update to pre 1.7 version + * Remove support for version 4 of the Kerberos protocol (krb4). + * New libdefaults configuration variable "allow_weak_crypto". + * Client library now follows client principal referrals, for + compatibility with Windows. + * KDC can issue realm referrals for service principals based on domain + names. + * Encryption algorithm negotiation (RFC 4537). + * In the replay cache, use a hash over the complete ciphertext to + avoid false-positive replay indications. + * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is + similar to the equivalent SSPI functionality. + * DCE RPC, including three-leg GSS context setup and unencapsulated + GSS tokens. + * NTLM recognition support in GSS-API, to facilitate dropping in an + NTLM implementation. + * KDC support for principal aliases, if the back end supports them. + * Microsoft set/change password (RFC 3244) protocol in kadmind. + * Master key rollover support. + ------------------------------------------------------------------- Wed Jan 14 09:21:36 CET 2009 - olh@suse.de diff --git a/krb5.spec b/krb5.spec index 7d33cae..cdb1118 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.6.3) +# spec file for package krb5 (Version 1.7) # # Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -17,66 +17,46 @@ # norootforbuild +%define build_mini 0 +%define srcRoot krb5-1.7 +%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ +%define krb5docdir %{_defaultdocdir}/krb5 Name: krb5 -Version: 1.6.3 -Release: 85 +License: MIT License (or similar) +Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel -%if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel -%endif -%define srcRoot krb5-1.6.3 -%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ -%define krb5docdir %{_defaultdocdir}/%{name} -Provides: heimdal-lib -Obsoletes: heimdal-lib +Version: 1.7 +Release: 4 +%if ! 0%{?build_mini} +BuildRequires: libopenssl-devel openldap2-devel # bug437293 %ifarch ppc64 -Obsoletes: heimdal-lib-64bit Obsoletes: krb5-64bit %endif # Summary: MIT Kerberos5 Implementation--Libraries -License: X11/MIT -Url: http://web.mit.edu/kerberos/www/ Group: Productivity/Networking/Security -Source: krb5-1.6.3.tar.bz2 +%else +Summary: MIT Kerberos5 Implementation--Libraries +Group: Productivity/Networking/Security +%endif +Source: krb5-1.7.tar.bz2 Source1: vendor-files.tar.bz2 Source2: README.Source Source3: spx.c -Source4: EncryptWithMasterKey.c -Source5: %{name}-%{version}-rpmlintrc -Source10: krb5-trunk-manpaths.txt -Patch1: krb5-1.5.1-fix-too-few-arguments.dif +Source5: krb5-%{version}-rpmlintrc +Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif -Patch3: krb5-1.4-fix-segfault.dif -Patch6: trunk-EncryptWithMasterKey.dif -Patch14: warning-fix-lib-crypto-des.dif -Patch15: warning-fix-lib-crypto-dk.dif -Patch16: warning-fix-lib-crypto.dif -Patch17: warning-fix-lib-crypto-enc_provider.dif -Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif -Patch20: kprop-use-mkstemp.dif +Patch20: krb5-1.6.3-kprop-use-mkstemp.dif Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif -Patch24: krb5-1.5.1-fix-strncat-warning.dif -Patch25: krb5-1.6.1-init-salt-length.dif -Patch30: trunk-manpaths.dif -Patch31: krb5-1.6-ldap-man.dif +Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif -Patch33: krb5-1.3.3-rcp-markus.dif -Patch34: gssapi_improve_errormessages.dif -Patch35: krb5-1.6-fix-CVE-2007-5894.dif -Patch36: krb5-1.6-fix-CVE-2007-5902.dif -Patch37: krb5-1.6-fix-CVE-2007-5971.dif -Patch38: krb5-1.6-fix-CVE-2007-5972.dif -Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif -Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif -Patch41: krb5-trunk-kpasswd_tcp.patch -Patch42: krb5-trunk-seqnum.patch -Patch43: krb5-1.6.3-case-insensitive.dif +Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif +Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif -Patch45: krb5-1.6.3-post.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils @@ -96,12 +76,12 @@ Authors: Ken Raeburn Tom Yu +%if ! %{build_mini} + %package client -License: X11/MIT +License: MIT License (or similar) Summary: MIT Kerberos5 implementation - client programs Group: Productivity/Networking/Security -Provides: heimdal-tools, heimdal-x11 -Obsoletes: heimdal-tools, heimdal-x11 %description client Kerberos V5 is a trusted-third-party network authentication system, @@ -119,11 +99,9 @@ Authors: Tom Yu %package server -License: X11/MIT +License: MIT License (or similar) Summary: MIT Kerberos5 implementation - server Group: Productivity/Networking/Security -Provides: heimdal -Obsoletes: heimdal Requires: perl-Date-Calc Requires: logrotate cron PreReq: %insserv_prereq %fillup_prereq @@ -136,39 +114,6 @@ and more. -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package devel -License: X11/MIT -Summary: MIT Kerberos5 - Include Files and Libraries -Group: Development/Libraries/C and C++ -PreReq: %{name} = %{version} -Requires: libcom_err-devel -%if %{suse_version} > 1010 -Requires: keyutils-devel -%endif -Provides: heimdal-tools-devel, heimdal-devel -Obsoletes: heimdal-tools-devel, heimdal-devel -# bug437293 -%ifarch ppc64 -Obsoletes: heimdal-devel-64bit -Obsoletes: krb5-devel-64bit -%endif -# - -%description devel -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes Libraries and -Include Files for Development - - - Authors: -------- The MIT Kerberos Team @@ -177,7 +122,7 @@ Authors: Tom Yu %package apps-servers -License: X11/MIT +License: MIT License (or similar) Summary: MIT Kerberos5 server applications Group: Productivity/Networking/Security @@ -197,7 +142,7 @@ Authors: Tom Yu %package apps-clients -License: X11/MIT +License: MIT License (or similar) Summary: MIT Kerberos5 client applications Group: Productivity/Networking/Security @@ -209,6 +154,79 @@ compatible client applications like ftp, rpc, rlogin, telnet, ... +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package plugin-kdb-ldap +License: MIT License (or similar) +Summary: MIT Kerberos5 Implementation--LDAP Database Plugin +Group: Productivity/Networking/Security +Requires: krb5-server = %{version} + +%description plugin-kdb-ldap +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of clear text passwords. This package contains the LDAP +database plugin. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%package plugin-preauth-pkinit +License: MIT License (or similar) +Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin +Group: Productivity/Networking/Security + +%description plugin-preauth-pkinit +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes a PKINIT plugin. + + + +Authors: +-------- + The MIT Kerberos Team + Sam Hartman + Ken Raeburn + Tom Yu + +%endif #! build_mini + +%package devel +License: MIT License (or similar) +Summary: MIT Kerberos5 - Include Files and Libraries +Group: Development/Libraries/C and C++ +PreReq: %{name} = %{version} +Requires: libcom_err-devel +Requires: keyutils-devel +# bug437293 +%ifarch ppc64 +Obsoletes: krb5-devel-64bit +%endif +%if %{build_mini} +Provides: krb5-devel = %{version} +%endif +# + +%description devel +Kerberos V5 is a trusted-third-party network authentication system, +which can improve your network's security by eliminating the insecure +practice of cleartext passwords. This package includes Libraries and +Include Files for Development + + + Authors: -------- The MIT Kerberos Team @@ -224,43 +242,21 @@ then echo "spx.c contains potential legal risks." exit 1; else - cp %{_sourcedir}/spx.c %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c + cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c fi -%patch1 %patch2 -%patch3 -%patch6 -%patch14 -%patch15 -%patch16 -%patch17 -%patch18 %patch20 %patch21 %patch22 -%patch24 -%patch25 %patch30 -p1 -%patch31 %patch32 -p1 -%patch33 -p1 %patch34 -p1 -%patch35 -%patch36 -%patch37 -%patch38 -%patch39 -p1 -%patch40 %patch41 -%patch42 -%patch43 %patch44 -p1 -%patch45 %patch46 -p1 -cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c # Rename the man pages so that they'll get generated correctly. pushd src -cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do +cat %{SOURCE10} | while read manpage ; do mv "$manpage" "$manpage".in done popd @@ -269,7 +265,7 @@ popd cd src %{?suse_update_config:%{suse_update_config -f}} ./util/reconf -CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -D__CI_PRINC__ -fPIC " \ +CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \ ./configure \ --prefix=/usr/lib/mit \ --sysconfdir=%{_sysconfdir} \ @@ -281,11 +277,17 @@ CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -D__ --localstatedir=%{_localstatedir}/lib/kerberos \ --enable-shared \ --disable-static \ - --enable-dns \ + --enable-kdc-replay-cache \ + --enable-dns-for-realm \ + --disable-rpath \ +%if ! %{build_mini} + --with-ldap \ +%else + --disable-pkinit \ +%endif --with-system-et \ --with-system-ss make %{?jobs:-j%jobs} -#make check %install cd src @@ -324,14 +326,12 @@ do chmod 0755 ${lib} done # and binaries too -chmod 0755 %{buildroot}/usr/lib/mit/bin/v4rcp chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu # install init scripts mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -install -m 755 %{vendorFiles}/krb524d.init %{buildroot}%{_sysconfdir}/init.d/krb524d # install xinetd files mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin @@ -347,67 +347,61 @@ mkdir -p %{buildroot}/usr/bin/ ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd -ln -sf ../../etc/init.d/krb524d %{buildroot}/usr/bin/rckrb524d # create links for kinit and klist, because of the java ones ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist -# install helper scripts -install -d -m 755 %{buildroot}/usr/lib/mit/helper -install -m 744 %{vendorFiles}/heimdal2mit-DumpConvert.pl %{buildroot}/usr/lib/mit/helper/heimdal2mit-DumpConvert.pl -install -m 744 %{vendorFiles}/simple_convert_krb5conf.pl %{buildroot}/usr/lib/mit/helper/simple_convert_krb5conf.pl # install doc install -d -m 755 %{buildroot}/%{krb5docdir} -install -m 644 %{vendorFiles}/README.ConvertHeimdalMIT %{buildroot}/%{krb5docdir}/README.ConvertHeimdalMIT install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README +%if ! %{build_mini} +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema +install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif +%endif # cleanup rm -f %{buildroot}/usr/share/man/man1/tmac.doc* rm -f /usr/share/man/man1/tmac.doc* rm -rf /usr/lib/mit/share rm -rf %{buildroot}/usr/lib/mit/share ##################################################### -# krb5 pre/post/postun +# krb5-mini-devel pre/post/postun ##################################################### +%if %{build_mini} -%pre -# test update from heimdal-lib -if `ls usr/lib/libotp.so* 2>/dev/null 1>/dev/null` -then - # we update from heimdal - echo "backup /etc/krb5.conf to /etc/krb5.conf.heimdal" - mv etc/krb5.conf etc/krb5.conf.heimdal - touch var/adm/fillup-templates/heimdal-update - if [ -e etc/krb5.keytab ] - then - echo "backup /etc/krb5.keytab to /etc/krb5.keytab.heimdal" - mv etc/krb5.keytab etc/krb5.keytab.heimdal - fi -fi - -%post -/sbin/ldconfig -if [ -e var/adm/fillup-templates/heimdal-update ] -then - /usr/lib/mit/helper/simple_convert_krb5conf.pl - rm -f /var/adm/fillup-templates/heimdal-update -fi -if [ ! -e etc/krb5.conf -a -e etc/krb5.conf.rpmnew ] -then - echo "moving /etc/krb5.conf.rpmnew to /etc/krb5.conf" - mv etc/krb5.conf.rpmnew etc/krb5.conf -fi +%preun +%stop_on_removal krb5kdc kadmind kpropd %postun /sbin/ldconfig +%restart_on_update krb5kdc kadmind kpropd +%{insserv_cleanup} + +%post -p /sbin/ldconfig +%else +##################################################### +# krb5 pre/post/postun +##################################################### + +%post -p /sbin/ldconfig + +%postun -p /sbin/ldconfig + +%preun server ##################################################### # krb5-server preun/postun ##################################################### - -%preun server -%stop_on_removal krb5kdc kadmind kpropd krb524d +%stop_on_removal krb5kdc kadmind kpropd %postun server -%restart_on_update krb5kdc kadmind kpropd krb524d +%restart_on_update krb5kdc kadmind kpropd %{insserv_cleanup} +##################################################### +# krb5-plugin-kdb-ldap post/postun +##################################################### + +%post plugin-kdb-ldap -p /sbin/ldconfig + +%postun plugin-kdb-ldap -p /sbin/ldconfig +%endif %clean rm -rf %{buildroot} @@ -415,6 +409,124 @@ rm -rf %{buildroot} # files sections ######################################################## +%files devel +%defattr(-,root,root) +%dir /usr/lib/mit +%dir /usr/lib/mit/bin +%dir /usr/lib/mit/sbin +%{_libdir}/libgssrpc.so +%{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv.so +%{_libdir}/libkdb5.so +%{_libdir}/libkrb5.so +%{_libdir}/libkrb5support.so +%{_includedir}/* +/usr/lib/mit/bin/krb5-config +/usr/lib/mit/sbin/krb5-send-pr +%{_mandir}/man1/krb5-send-pr.1* +%{_mandir}/man1/krb5-config.1* +%if %{build_mini} + +%files +%defattr(-,root,root) +%dir %{krb5docdir} +# add directories +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir %{_libdir}/krb5/plugins/preauth +%dir %{_libdir}/krb5/plugins/libkrb5 +%dir %{_localstatedir}/lib/kerberos/ +%dir %{_localstatedir}/lib/kerberos/krb5kdc +%attr(0700,root,root) %dir /var/log/krb5 +%dir /usr/lib/mit +%dir /usr/lib/mit/sbin +%dir /usr/lib/mit/bin +%doc %{krb5docdir}/README +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf +%attr(0644,root,root) %config /etc/profile.d/krb5* +%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl +%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config(noreplace) %{_sysconfdir}/xinetd.d/klogin +%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin +%config(noreplace) %{_sysconfdir}/xinetd.d/kshell +%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet +%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* +%{_sysconfdir}/init.d/* +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/krb5/plugins/kdb/* +%{_libdir}/krb5/plugins/preauth/* +#/usr/lib/mit/sbin/* +/usr/lib/mit/sbin/kadmin.local +/usr/lib/mit/sbin/kadmind +/usr/lib/mit/sbin/kpropd +/usr/lib/mit/sbin/kproplog +/usr/lib/mit/sbin/kprop +/usr/lib/mit/sbin/kdb5_util +/usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/ftpd +/usr/lib/mit/sbin/klogind +/usr/lib/mit/sbin/kshd +/usr/lib/mit/sbin/telnetd +/usr/lib/mit/sbin/uuserver +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/login.krb5 +/usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/kvno +/usr/lib/mit/bin/kinit +/usr/lib/mit/bin/kdestroy +/usr/lib/mit/bin/kpasswd +/usr/lib/mit/bin/klist +/usr/lib/mit/bin/kadmin +/usr/lib/mit/bin/ktutil +%attr(0755,root,root) /usr/lib/mit/bin/ksu +/usr/lib/mit/bin/rcp +/usr/lib/mit/bin/rsh +/usr/lib/mit/bin/telnet +/usr/lib/mit/bin/uuclient +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/ftp +/usr/lib/mit/bin/rlogin +#/usr/lib/mit/bin/* +/usr/bin/kinit +/usr/bin/klist +/usr/bin/rc* +#%{_mandir}/man1/* +%{_mandir}/man1/kvno.1* +%{_mandir}/man1/kinit.1* +%{_mandir}/man1/kdestroy.1* +%{_mandir}/man1/kpasswd.1* +%{_mandir}/man1/klist.1* +%{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kftp.1* +%{_mandir}/man1/krlogin.1* +%{_mandir}/man1/krsh.1* +%{_mandir}/man1/ktelnet.1* +%{_mandir}/man1/ksu.1* +%{_mandir}/man1/krcp.1* +%{_mandir}/man1/sclient.1* +%{_mandir}/man1/kadmin.1* +%{_mandir}/man1/ktutil.1* +%{_mandir}/man1/k5srvutil.1* +%{_mandir}/man5/* +%{_mandir}/man5/.k5login.5.gz +%{_mandir}/man8/* +%else + %files %defattr(-,root,root) %dir %{krb5docdir} @@ -424,15 +536,20 @@ rm -rf %{buildroot} %dir %{_libdir}/krb5/plugins/kdb %dir %{_libdir}/krb5/plugins/preauth %dir %{_libdir}/krb5/plugins/libkrb5 -%dir /usr/lib/mit/helper # add log directory %attr(0700,root,root) %dir /var/log/krb5 -%doc %{krb5docdir}/README -/usr/lib/mit/helper/simple_convert_krb5conf.pl +%doc %{krb5docdir}/README %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf %attr(0644,root,root) %config /etc/profile.d/krb5* -%{_libdir}/lib*.so.* -%{_libdir}/libgssapi_krb5.so +%{_libdir}/libgssapi_krb5.* +%{_libdir}/libgssrpc.so.* +%{_libdir}/libk5crypto.so.* +%{_libdir}/libkadm5clnt.so.* +%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkdb5.so.* +%{_libdir}/libkrb5.so.* +%{_libdir}/libkrb5support.so.* +%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so %files server %defattr(-,root,root) @@ -440,40 +557,35 @@ rm -rf %{buildroot} %{_sysconfdir}/init.d/kadmind %{_sysconfdir}/init.d/krb5kdc %{_sysconfdir}/init.d/kpropd -%{_sysconfdir}/init.d/krb524d %dir %{krb5docdir} %dir /usr/lib/mit %dir /usr/lib/mit/sbin -%dir /usr/lib/mit/helper %dir %{_localstatedir}/lib/kerberos/ %dir %{_localstatedir}/lib/kerberos/krb5kdc %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb -%doc %{krb5docdir}/README.ConvertHeimdalMIT %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict +%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* /usr/bin/rc* /usr/lib/mit/sbin/kadmin.local /usr/lib/mit/sbin/kadmind /usr/lib/mit/sbin/kpropd +/usr/lib/mit/sbin/kproplog /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/krb524d -/usr/lib/mit/sbin/EncryptWithMasterKey -/usr/lib/mit/helper/heimdal2mit-DumpConvert.pl -%{_libdir}/krb5/plugins/kdb/*.so +%{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* %{_mandir}/man8/kadmin.local.8* %{_mandir}/man8/kpropd.8* %{_mandir}/man8/kprop.8* +%{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* -%{_mandir}/man8/krb524d.8* -/etc/sysconfig/SuSEfirewall2.d/services/k* %files client %defattr(-,root,root) @@ -485,24 +597,22 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kdestroy /usr/lib/mit/bin/kpasswd /usr/lib/mit/bin/klist -/usr/lib/mit/bin/krb524init -/usr/lib/mit/sbin/kadmin -/usr/lib/mit/sbin/ktutil -/usr/lib/mit/sbin/k5srvutil +/usr/lib/mit/bin/kadmin +/usr/lib/mit/bin/ktutil +/usr/lib/mit/bin/k5srvutil /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* %{_mandir}/man1/kinit.1* -%{_mandir}/man1/krb524init.1* %{_mandir}/man1/kdestroy.1* %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* +%{_mandir}/man1/kadmin.1* +%{_mandir}/man1/ktutil.1* +%{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* -%{_mandir}/man8/kadmin.8* -%{_mandir}/man8/ktutil.8* -%{_mandir}/man8/k5srvutil.8* %files apps-servers %defattr(-,root,root) @@ -543,405 +653,34 @@ rm -rf %{buildroot} /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client -# removed SUID bit -%attr(0755,root,root)/usr/lib/mit/bin/v4rcp %{_mandir}/man1/kftp.1* %{_mandir}/man1/krlogin.1* %{_mandir}/man1/krsh.1* %{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* %{_mandir}/man1/krcp.1* -%{_mandir}/man1/v4rcp.1* %{_mandir}/man1/sclient.1* -%files devel +%files plugin-kdb-ldap %defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -%dir /usr/lib/mit/sbin -/usr/lib/mit/bin/krb5-config -%{_libdir}/libdes425.so -%{_libdir}/libgssrpc.so -%{_libdir}/libk5crypto.so -%{_libdir}/libkadm5clnt.so -%{_libdir}/libkadm5srv.so -%{_libdir}/libkdb5.so -%{_libdir}/libkrb4.so -%{_libdir}/libkrb5.so -%{_libdir}/libkrb5support.so -%{_includedir}/* -/usr/lib/mit/sbin/krb5-send-pr -%{_mandir}/man1/krb5-send-pr.1* -%{_mandir}/man1/krb5-config.1* +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/kdb +%dir /usr/lib/mit/sbin/ +%dir %{krb5docdir} +%doc %{krb5docdir}/kerberos.schema +%doc %{krb5docdir}/kerberos.ldif +%{_libdir}/krb5/plugins/kdb/kldap.so +/usr/lib/mit/sbin/kdb5_ldap_util +%{_libdir}/libkdb_ldap* +%{_mandir}/man8/kdb5_ldap_util.8* + +%files plugin-preauth-pkinit +%defattr(-,root,root) +%dir %{_libdir}/krb5 +%dir %{_libdir}/krb5/plugins +%dir %{_libdir}/krb5/plugins/preauth +%{_libdir}/krb5/plugins/preauth/pkinit.so +%endif #build_mini %changelog -* Wed Jan 14 2009 olh@suse.de -- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit -* Thu Dec 11 2008 mc@suse.de -- do not query IPv6 addresses if no IPv6 address exists on this host - [bnc#449143] -* Wed Dec 10 2008 olh@suse.de -- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade - (bnc#437293) -* Thu Oct 30 2008 olh@suse.de -- obsolete old -XXbit packages (bnc#437293) -* Fri Sep 26 2008 mc@suse.de -- in case we use ldap as database backend, ldap should be - started before krb5kdc -* Mon Jul 28 2008 mc@suse.de -- add new fixes to post 1.6.3 patch - * fix mem leak in krb5_gss_accept_sec_context() - * keep minor_status - * kadm5_decrypt_key: A ktype of -1 is documented as meaning - "to be ignored" - * Reject socket fds > FD_SETSIZE -* Fri Jul 25 2008 mc@suse.de -- add patches from SVN post 1.6.3 - * krb5_string_to_keysalts: Fix an infinite loop - * fix some mutex issues - * better recovery from corrupt rcache files - * some more small fixes -* Wed Jun 18 2008 mc@suse.de -- add case-insensitive.dif (FATE#300771) -- minor fixes for ktutil man page -- reduce rpmlint warnings -* Wed May 14 2008 mc@suse.de -- Fall back to TCP on kdc-unresolvable/unreachable errors. -- restore valid sequence number before generating requests - (fix changing passwords in mixed ipv4/ipv6 enviroments) -* Thu Apr 10 2008 ro@suse.de -- added baselibs.conf file to build xxbit packages - for multilib support -* Wed Apr 09 2008 mc@suse.de -- modify krb5-config to not output rpath and cflags in --libs - (bnc#378270) -* Fri Mar 14 2008 mc@suse.de -- fix two security bugs: - * MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063) - fix double free [bnc#361373] - * MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948) - Memory corruption while too many open file descriptors - [bnc#363151] -- change default config file. Comment out the examples. -* Fri Dec 14 2007 mc@suse.de -- fix several security bugs: - * CVE-2007-5894 apparent uninit length - * CVE-2007-5902 integer overflow - * CVE-2007-5971 free of non-heap pointer and double-free - * CVE-2007-5972 double fclose() - [#346745, #346748, #346746, #346749, #346747] -* Tue Dec 04 2007 mc@suse.de -- improve GSSAPI error messages -* Tue Nov 06 2007 mc@suse.de -- add coreutils to PreReq -* Tue Oct 23 2007 mc@suse.de -- update to krb5 version 1.6.3 - * fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow - * fix CVE-2007-4000 modify_policy vulnerability - * Add PKINIT support -- remove patches which are upstream now -- enhance init scripts and xinetd profiles -* Fri Sep 14 2007 mc@suse.de -- update krb5-1.6.2-post.dif - * If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that - that the client library will not failover to the next KDC. - [#310540] -* Tue Sep 11 2007 mc@suse.de -- update krb5-1.6.2-post.dif - * new -S sname option for kvno - * read_entropy_from_device on partial read will not fill buffer - * Bail out if encoded "ticket" doesn't decode correctly. - * patch for referrals loop -* Thu Sep 06 2007 mc@suse.de -- fix a problem with the originally published patch - for MITKRB5-SA-2007-006 - CVE-2007-3999 - [#302377] -* Wed Sep 05 2007 mc@suse.de -- fix execute arbitrary code - (MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000) - [#302377] -* Tue Aug 07 2007 mc@suse.de -- add krb5-1.6.2-post.dif - * during the referrals loop, check to see if the - session key enctype of a returned credential for the final - service is among the enctypes explicitly selected by the - application, and retry with old_use_conf_ktypes if it is not. - * If mkstemp() is available, the new ccache file gets created but - the subsequent open(O_CREAT|O_EXCL) call fails because the file - was already created by mkstemp(). Apply patch from Apple to keep - the file descriptor open. -* Thu Jul 12 2007 mc@suse.de -- update to version 1.6.2 -- remove krb5-1.6.1-post.dif all fixes are included in this release -* Thu Jul 05 2007 mc@suse.de -- change requires to libcom_err-devel -* Mon Jul 02 2007 mc@suse.de -- update krb5-1.6.1-post.dif - * fix leak in krb5_walk_realm_tree - * rd_req_decoded needs to deal with referral realms - * fix buffer overflow in kadmind - (MITKRB5-SA-2007-005 - CVE-2007-2798) - [#278689] - * fix kadmind code execution bug - (MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443) - [#271191] -* Thu Jun 14 2007 mc@suse.de -- fix unstripped-binary-or-object rpmlint warning -* Mon Jun 11 2007 sschober@suse.de -- fixing rpmlint warnings and errors: - * merged logrotate scripts kadmin and krb5kdc into a single file - krb5-server. - * moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl - from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper. - adapted krb5.spec and README.ConvertHeimdalMIT accordingly. - * added surpression filter for - "devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so" - (see [#147912]). - * set default runlevel of init scripts in chkconfig line to 3 and - 5 -* Wed May 09 2007 mc@suse.de -- fix uninitialized salt length -- add extra check for keytab file -* Thu May 03 2007 mc@suse.de -- adding krb5-1.6.1-post.dif - * fix segfault in krb5_get_init_creds_password - * remove debug output in ftp client - * profile stores empty string values without double quotes -* Mon Apr 23 2007 mc@suse.de -- update to final 1.6.1 version -* Wed Apr 18 2007 mc@suse.de -- add plugin directories to main package -* Mon Apr 16 2007 mc@suse.de -- update to version 1.6.1 Beta1 -- remove obsolete patches - (krb5-1.6-post.dif, krb5-1.6-patchlevel.dif) -- rework compile_pie patch -* Wed Apr 11 2007 mc@suse.de -- update krb5-1.6-post.dif - * fix kadmind stack overflow in krb5_klog_syslog - (MITKRB5-SA-2007-002 - CVE-2007-0957) - [#253548] - * fix double free attack in the RPC library - (MITKRB5-SA-2007-003 - CVE-2007-1216) - [#252487] - * fix krb5 telnetd login injection - (MIT-SA-2007-001 - CVE-2007-0956) - [#247765] -* Thu Mar 29 2007 mc@suse.de -- add ncurses-devel and bison to BuildRequires -- rework some patches -* Mon Mar 05 2007 mc@suse.de -- move SuSEFirewall service definitions to - /etc/sysconfig/SuSEfirewall2.d/services -* Thu Feb 22 2007 mc@suse.de -- add firewall definition to krb5-server, FATE #300687 -* Mon Feb 19 2007 mc@suse.de -- update krb5-1.6-post.dif -- move some applications into the right package -* Fri Feb 09 2007 mc@suse.de -- update krb5-1.6-post.dif -* Mon Jan 29 2007 mc@suse.de -- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif - are now upstream. Remove patches. -- fix leak in krb5_kt_resolve and krb5_kt_wresolve -* Tue Jan 23 2007 mc@suse.de -- fix "local variable used before set" in ftp.c - [#237684] -* Mon Jan 22 2007 mc@suse.de -- krb5-devel should require keyutils-devel -* Mon Jan 22 2007 mc@suse.de -- update to version 1.6 - * Major changes in 1.6 include - * Partial client implementation to handle server name referrals. - * Pre-authentication plug-in framework, donated by Red Hat. - * LDAP KDB plug-in, donated by Novell. -- remove obsolete patches -* Wed Jan 10 2007 mc@suse.de -- fix for - kadmind (via RPC library) calls uninitialized function pointer - (CVE-2006-6143)(Bug #225990) - krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif -- fix for - kadmind (via GSS-API mechglue) frees uninitialized pointers - (CVE-2006-6144)(Bug #225992) - krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif -* Tue Jan 02 2007 mc@suse.de -- Fix Requires in krb5-devel - [Bug #231008] -* Mon Nov 06 2006 mc@suse.de -- fix "local variable used before set" [#217692] -- fix strncat warning -* Fri Oct 27 2006 mc@suse.de -- add a default kadm5.dict file -- require $network on daemon start -* Wed Sep 13 2006 mc@suse.de -- fix function call with too few arguments [#203837] -* Thu Aug 24 2006 mc@suse.de -- update to version 1.5.1 -- remove obsolete patches which are now included upstream - * krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - * trunk-fix-uninitialized-vars.dif -* Fri Aug 11 2006 mc@suse.de -- krb5 setuid return check fixes - krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif - [#182351] -* Mon Aug 07 2006 mc@suse.de -- remove update-messages -* Mon Jul 24 2006 mc@suse.de -- add check for krb5_prop in services to kpropd init script. - [#192446] -* Mon Jul 03 2006 mc@suse.de -- update to version 1.5 - * KDB abstraction layer, donated by Novell. - * plug-in architecture, allowing for extension modules to be - loaded at run-time. - * multi-mechanism GSS-API implementation ("mechglue"), - donated by Sun Microsystems - * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") - implementation, donated by Sun Microsystems -- remove obsolete patches and add some new -* Fri May 26 2006 ro@suse.de -- libcom is not in e2fsck-devel but in its own package now, change - Requires accordingly. -* Mon Mar 27 2006 mc@suse.de -- add all daemons to %%stop_on_removal and %%restart_on_update -- add reload to kpropd init script -- add force-reload to all init scripts -* Mon Mar 13 2006 mc@suse.de -- add libgssapi_krb5.so link to main package [#147912] -* Fri Feb 03 2006 mc@suse.de -- fix logging section for kadmind in convert script -* Wed Jan 25 2006 mls@suse.de -- converted neededforbuild to BuildRequires -* Fri Jan 13 2006 mc@suse.de -- change the logging defaults -* Wed Jan 11 2006 mc@suse.de -- add tools and README for heimdal => MIT update -* Mon Jan 09 2006 mc@suse.de -- fix build problems, define _GNU_SOURCE - (krb5-1.4.3-set_gnu_source.dif ) -* Tue Jan 03 2006 mc@suse.de -- added "make %%{?jobs:-j%%jobs}" -* Fri Nov 18 2005 mc@suse.de -- update to version 1.4.3 - * some memmory leaks fixed - * fix for "AS_REP padata has wrong enctype" - * fix for "AS_REP padata missing PA-ETYPE-INFO" - * ... and more -* Wed Nov 02 2005 dmueller@suse.de -- don't build as root -* Tue Oct 11 2005 mc@suse.de -- update to version 1.4.2 -- remove some obsolet patches -* Mon Aug 08 2005 mc@suse.de -- build with --disable-static -* Thu Aug 04 2005 ro@suse.de -- remove devel-static subpackage -* Thu Jun 30 2005 mc@suse.de -- better patch for princ_comp problem -* Mon Jun 27 2005 mc@suse.de -- update to version 1.4.1 -- remove obsolet patches - - krb5-1.4-gcc4.dif - - krb5-1.4-reduce-namespace-polution.dif - - krb5-1.4-VUL-0-telnet.dif -* Thu Jun 23 2005 mc@suse.de -- fixed krb5 KDC heap corruption by random free - [#80574, CAN-2005-1174, MITKRB5-SA-2005-002] -- fixed krb5 double free() - [#86768, CAN-2005-1689, MITKRB5-SA-2005-003] -- fix krb5 NULL pointer reference while comparing principals - [#91600] -* Fri Jun 17 2005 mc@suse.de -- fix uninitialized variables -- compile with -fPIE/ link with -pie -* Wed Apr 20 2005 mc@suse.de -- fixed wrong xinetd files [#77149] -* Fri Apr 08 2005 mt@suse.de -- removed krb5-1.4-fix-error_tables.dif patch obsoleted - by libcom_err locking patches -* Thu Apr 07 2005 mc@suse.de -- fixed missing descriptions in init files - [#76164, #76165, #76166, #76169] -* Wed Mar 30 2005 mc@suse.de -- enhance $PATH via /etc/profile.d/ [#74018] -- remove the "links to important programs" -* Fri Mar 18 2005 mc@suse.de -- fixed not running converter script [#72854] -* Thu Mar 17 2005 mc@suse.de -- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer - Overflow -- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer - Overflow - [#73618] -* Wed Mar 16 2005 mc@suse.de -- fixed wrong PreReqs [#73020] -* Tue Mar 15 2005 mc@suse.de -- add a simple krb5.conf converter [#72854] -* Mon Mar 14 2005 mc@suse.de -- fixed: rckrb5kdc restart gives wrong status with non-running service - [#72446] -* Thu Mar 10 2005 mc@suse.de -- add requires: e2fsprogs-devel to krb5-devel package [#71732] -* Fri Feb 25 2005 mc@suse.de -- fix double free [#66534] - krb5-1.4-fix-error_tables.dif -* Fri Feb 11 2005 mc@suse.de -- change mode for shared libraries to 755 -* Fri Feb 04 2005 mc@suse.de -- remove spx.c from tarball because of legal risk -- add README.Source which tell the user about this - action. -- add a check for spx.c in the spec-file -- use rich-text for update-messages [#50250] -* Tue Feb 01 2005 mc@suse.de -- add krb5-1.4-reduce-namespace-polution.dif - reduce namespace polution in gssapi.h [#50356] -* Fri Jan 28 2005 mc@suse.de -- update to version 1.4 -- Add implementation of the RPCSEC_GSS authentication flavor to the - RPC library. -- Thread safety for krb5 libraries. -- Merged Athena telnetd changes for creating a new option for - requiring encryption. -- The kadmind4 backwards-compatibility admin server and the v5passwdd - backwards-compatibility password-changing server have been removed. -- Yarrow code now uses AES. -- Merged Athena changes to allow ftpd to require encrypted passwords. -- Incorporate gss_krb5_set_allowable_enctypes() and - gss_krb5_export_lucid_sec_context(), which are needed for NFSv4. -- remove obsolet patches -* Mon Jan 17 2005 mc@suse.de -- add proofreaded update-messages -* Fri Jan 14 2005 mc@suse.de -- remove Conflicts: and add Provides: -- add some insserv stuff -* Thu Jan 13 2005 mc@suse.de -- move vendor files to vendor-files.tar.bz2 -- add obsoletes: heimdal -- add %%pre and %%post sections to detect update - from heimdal and backup invalid configuration files -- add update-messages for heimdal update -* Mon Jan 10 2005 mc@suse.de -- update to version 1.3.6 -- fix for: heap buffer overflow in libkadm5srv - [CAN-2004-1189 / MITKRB5-SA-2004-004] -* Tue Dec 14 2004 mc@suse.de -- build doc subpackage in an own specfile -- removed unnecessary neededforbuild requirements -* Wed Nov 24 2004 coolo@suse.de -- fix build with gcc 4 -* Mon Nov 15 2004 mc@suse.de -- added Conflicts with heimdal* -- rename some manpages to avoid conflicts -* Thu Nov 04 2004 mc@suse.de -- new init scripts -- fix logrotate scripts -- add some 64Bit fixes -- add default krb5.conf, kdc.conf and kadm5.acl -* Wed Nov 03 2004 mc@suse.de -- add e2fsprogs to NFB -- use system-et and system-ss -- fix includes of com_err.h -* Thu Oct 28 2004 mc@suse.de -- Initital checkin diff --git a/pre_checkin.sh b/pre_checkin.sh new file mode 100644 index 0000000..611f38f --- /dev/null +++ b/pre_checkin.sh @@ -0,0 +1,5 @@ +#!/bin/sh +sed -e 's/Name:.*/Name: krb5-mini/g;' \ + -e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec +cp krb5.changes krb5-mini.changes + diff --git a/trunk-EncryptWithMasterKey.dif b/trunk-EncryptWithMasterKey.dif deleted file mode 100644 index 2933aac..0000000 --- a/trunk-EncryptWithMasterKey.dif +++ /dev/null @@ -1,35 +0,0 @@ -Index: src/kadmin/dbutil/Makefile.in -=================================================================== ---- src/kadmin/dbutil/Makefile.in.orig -+++ src/kadmin/dbutil/Makefile.in -@@ -19,21 +19,28 @@ SRCS = kdb5_util.c kdb5_create.c kadm5_c - - OBJS = kdb5_util.o kdb5_create.o kadm5_create.o string_table.o kdb5_destroy.o kdb5_stash.o import_err.o strtok.o dump.o ovload.o - --all:: $(PROG) -+all:: $(PROG) EncryptWithMasterKey - - $(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS) - -+EncryptWithMasterKey: EncryptWithMasterKey.o -+ $(CC_LINK) -o EncryptWithMasterKey EncryptWithMasterKey.o $(KRB5_BASE_LIBS) -+ -+EncryptWithMasterKey.o: EncryptWithMasterKey.c -+ -+ - import_err.c import_err.h: $(srcdir)/import_err.et - - $(OBJS): import_err.h - - install:: - $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG) -+ $(INSTALL_PROGRAM) EncryptWithMasterKey ${DESTDIR}$(ADMIN_BINDIR)/EncryptWithMasterKey - $(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8 - - clean:: -- $(RM) $(PROG) $(OBJS) import_err.c import_err.h -+ $(RM) $(PROG) $(OBJS) import_err.c import_err.h EncryptWithMasterKey EncryptWithMasterKey.o - - # +++ Dependency line eater +++ - # diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 7df2328..5e892eb 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:d6c325cc28c01e7e51fc96e3b966bb741060efb11a3b154b1ec0f07986a9571f -size 186676 +oid sha256:50ad02a920579585da9d44999c680c731ba9c2530fbc542e3298eacab1286617 +size 182015 diff --git a/warning-fix-lib-crypto-des.dif b/warning-fix-lib-crypto-des.dif deleted file mode 100644 index 09b1d26..0000000 --- a/warning-fix-lib-crypto-des.dif +++ /dev/null @@ -1,15 +0,0 @@ -# fix warning: -# string2key.c: In function 'mit_des_string_to_key_int': -# string2key.c:229: warning: pointer targets in passing argument 1 of 'mit_des_cbc_cksum' differ in signedness -# ---- src/lib/crypto/des/string2key.c -+++ src/lib/crypto/des/string2key.c 2006/06/21 08:16:12 -@@ -44,7 +44,7 @@ - krb5_ui_4 x, y, z; - unsigned char *p; - des_key_schedule sched; -- char *copy; -+ unsigned char *copy; - size_t copylen; - - /* As long as the architecture is big-endian or little-endian, it diff --git a/warning-fix-lib-crypto-dk.dif b/warning-fix-lib-crypto-dk.dif deleted file mode 100644 index 2812ffb..0000000 --- a/warning-fix-lib-crypto-dk.dif +++ /dev/null @@ -1,169 +0,0 @@ -# warning fix for: -# derive.c:63: warning: pointer targets in assignment differ in signedness -# derive.c:66: warning: pointer targets in assignment differ in signedness -# derive.c:75: warning: pointer targets in passing argument 2 of 'krb5_nfold' differ in signedness -# derive.c:75: warning: pointer targets in passing argument 4 of 'krb5_nfold' differ in signedness -# derive.c:96: warning: pointer targets in assignment differ in signedness -# derive.c: In function 'krb5_derive_random': -# derive.c:148: warning: pointer targets in assignment differ in signedness -# derive.c:151: warning: pointer targets in assignment differ in signedness -# derive.c:160: warning: pointer targets in passing argument 2 of 'krb5_nfold' differ in signedness -# derive.c:160: warning: pointer targets in passing argument 4 of 'krb5_nfold' differ in signedness -# -# dk_decrypt.c:153: warning: pointer targets in assignment differ in signedness -# -# dk_encrypt.c: In function 'krb5_dk_encrypt': -# dk_encrypt.c:98: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:119: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:132: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:141: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c: In function 'krb5int_aes_dk_encrypt': -# dk_encrypt.c:263: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:284: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:298: warning: pointer targets in assignment differ in signedness -# dk_encrypt.c:308: warning: pointer targets in assignment differ in signedness -# ---- src/lib/crypto/dk/derive.c -+++ src/lib/crypto/dk/derive.c 2006/06/21 10:13:47 -@@ -60,10 +60,10 @@ - return(ENOMEM); - } - -- inblock.data = inblockdata; -+ inblock.data = (char*)inblockdata; - inblock.length = blocksize; - -- outblock.data = outblockdata; -+ outblock.data = (char*)outblockdata; - outblock.length = blocksize; - - /* initialize the input block */ -@@ -71,8 +71,8 @@ - if (in_constant->length == inblock.length) { - memcpy(inblock.data, in_constant->data, inblock.length); - } else { -- krb5_nfold(in_constant->length*8, in_constant->data, -- inblock.length*8, inblock.data); -+ krb5_nfold(in_constant->length*8, (unsigned char*)in_constant->data, -+ inblock.length*8, (unsigned char*)inblock.data); - } - - /* loop encrypting the blocks until enough key bytes are generated */ -@@ -93,7 +93,7 @@ - - /* postprocess the key */ - -- inblock.data = rawkey; -+ inblock.data = (char*)rawkey; - inblock.length = keybytes; - - (*(enc->make_key))(&inblock, outkey); -@@ -145,10 +145,10 @@ - return(ENOMEM); - } - -- inblock.data = inblockdata; -+ inblock.data = (char*)inblockdata; - inblock.length = blocksize; - -- outblock.data = outblockdata; -+ outblock.data = (char*)outblockdata; - outblock.length = blocksize; - - /* initialize the input block */ -@@ -156,8 +156,8 @@ - if (in_constant->length == inblock.length) { - memcpy(inblock.data, in_constant->data, inblock.length); - } else { -- krb5_nfold(in_constant->length*8, in_constant->data, -- inblock.length*8, inblock.data); -+ krb5_nfold(in_constant->length*8, (unsigned char*)in_constant->data, -+ inblock.length*8, (unsigned char*)inblock.data); - } - - /* loop encrypting the blocks until enough key bytes are generated */ ---- src/lib/crypto/dk/dk_decrypt.c -+++ src/lib/crypto/dk/dk_decrypt.c 2006/06/21 10:13:47 -@@ -150,7 +150,7 @@ - cn = (unsigned char *) d1.data + d1.length - blocksize; - else if (ivec_mode == 1) { - int nblocks = (d1.length + blocksize - 1) / blocksize; -- cn = d1.data + blocksize * (nblocks - 2); -+ cn = (unsigned char *) d1.data + blocksize * (nblocks - 2); - } else - abort(); - } else ---- src/lib/crypto/dk/dk_encrypt.c -+++ src/lib/crypto/dk/dk_encrypt.c 2006/06/21 10:19:00 -@@ -95,7 +95,7 @@ - - /* derive the keys */ - -- d1.data = constantdata; -+ d1.data = (char*)constantdata; - d1.length = K5CLENGTH; - - d1.data[0] = (usage>>24)&0xff; -@@ -116,7 +116,7 @@ - /* put together the plaintext */ - - d1.length = blocksize; -- d1.data = plaintext; -+ d1.data = (char*)plaintext; - - if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1))) - goto cleanup; -@@ -129,7 +129,7 @@ - /* encrypt the plaintext */ - - d1.length = plainlen; -- d1.data = plaintext; -+ d1.data = (char*)plaintext; - - d2.length = plainlen; - d2.data = output->data; -@@ -138,7 +138,7 @@ - goto cleanup; - - if (ivec != NULL && ivec->length == blocksize) -- cn = d2.data + d2.length - blocksize; -+ cn = (unsigned char*)d2.data + d2.length - blocksize; - else - cn = NULL; - -@@ -260,7 +260,7 @@ - - /* derive the keys */ - -- d1.data = constantdata; -+ d1.data = (char*)constantdata; - d1.length = K5CLENGTH; - - d1.data[0] = (usage>>24)&0xff; -@@ -281,7 +281,7 @@ - /* put together the plaintext */ - - d1.length = blocksize; -- d1.data = plaintext; -+ d1.data = (char*)plaintext; - - if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1))) - goto cleanup; -@@ -295,7 +295,7 @@ - /* encrypt the plaintext */ - - d1.length = plainlen; -- d1.data = plaintext; -+ d1.data = (char*)plaintext; - - d2.length = plainlen; - d2.data = output->data; -@@ -305,7 +305,7 @@ - - if (ivec != NULL && ivec->length == blocksize) { - int nblocks = (d2.length + blocksize - 1) / blocksize; -- cn = d2.data + blocksize * (nblocks - 2); -+ cn = (unsigned char*)d2.data + blocksize * (nblocks - 2); - } else - cn = NULL; - diff --git a/warning-fix-lib-crypto-enc_provider.dif b/warning-fix-lib-crypto-enc_provider.dif deleted file mode 100644 index f9036da..0000000 --- a/warning-fix-lib-crypto-enc_provider.dif +++ /dev/null @@ -1,77 +0,0 @@ -# fix warnings for: -# aes.c: In function 'krb5int_aes_encrypt': -# aes.c:72: warning: pointer targets in passing argument 1 of 'krb5int_aes_enc_blk' differ in signedness -# aes.c:72: warning: pointer targets in passing argument 2 of 'krb5int_aes_enc_blk' differ in signedness -# aes.c:77: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:86: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:94: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:94: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness -# aes.c: In function 'krb5int_aes_decrypt': -# aes.c:127: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness -# aes.c:127: warning: pointer targets in passing argument 2 of 'krb5int_aes_dec_blk' differ in signedness -# aes.c:131: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness -# aes.c:132: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:132: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness -# aes.c:138: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness -# aes.c:145: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:145: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness -# aes.c:154: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness -# aes.c:154: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness -# ---- src/lib/crypto/enc_provider/aes.c -+++ src/lib/crypto/enc_provider/aes.c 2006/06/21 10:50:23 -@@ -40,7 +40,7 @@ - #define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) - #define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort()) - --static void xorblock(char *out, const char *in) -+static void xorblock(unsigned char *out, const unsigned char *in) - { - int z; - for (z = 0; z < BLOCK_SIZE; z++) -@@ -69,12 +69,12 @@ - - if (nblocks == 1) { - /* XXX Used for DK function. */ -- enc(output->data, input->data, &ctx); -+ enc((unsigned char*)output->data, (unsigned char*)input->data, &ctx); - } else { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -- xorblock(tmp, input->data + blockno * BLOCK_SIZE); -+ xorblock(tmp, (unsigned char*) input->data + blockno * BLOCK_SIZE); - enc(tmp2, tmp, &ctx); - memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); - -@@ -83,7 +83,7 @@ - } - /* Do final CTS step for last two blocks (the second of which - may or may not be incomplete). */ -- xorblock(tmp, input->data + (nblocks - 2) * BLOCK_SIZE); -+ xorblock(tmp, (unsigned char*) input->data + (nblocks - 2) * BLOCK_SIZE); - enc(tmp2, tmp, &ctx); - nleft = input->length - (nblocks - 1) * BLOCK_SIZE; - memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, nleft); -@@ -124,18 +124,18 @@ - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) - abort(); -- dec(output->data, input->data, &ctx); -+ dec((unsigned char*)output->data, (unsigned char*) input->data, &ctx); - } else { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -- dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -+ dec(tmp2, (unsigned char*)input->data + blockno * BLOCK_SIZE, &ctx); - xorblock(tmp2, tmp); - memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE); - memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE); - } - /* Do last two blocks, the second of which (next-to-last block - of plaintext) may be incomplete. */ -- dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx); -+ dec(tmp2, (unsigned char*) input->data + (nblocks - 2) * BLOCK_SIZE, &ctx); - /* Set tmp3 to last ciphertext block, padded. */ - memset(tmp3, 0, sizeof(tmp3)); - memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE, diff --git a/warning-fix-lib-crypto-yarrow_arcfour.dif b/warning-fix-lib-crypto-yarrow_arcfour.dif deleted file mode 100644 index fe0baa5..0000000 --- a/warning-fix-lib-crypto-yarrow_arcfour.dif +++ /dev/null @@ -1,27 +0,0 @@ -# warning fixes for: -# arcfour_s2k.c:46: warning: pointer targets in passing argument 2 of 'asctouni' differ in signedness -# -# ycipher.c:77: warning: pointer targets in assignment differ in signedness -# ---- src/lib/crypto/arcfour/arcfour_s2k.c -+++ src/lib/crypto/arcfour/arcfour_s2k.c 2006/06/21 10:55:47 -@@ -43,7 +43,7 @@ - return ENOMEM; - - /* make the string. start by creating the unicode version of the password*/ -- asctouni(copystr, string->data, slen ); -+ asctouni(copystr, (unsigned char*)string->data, slen ); - - /* the actual MD4 hash of the data */ - krb5_MD4Init(&md4_context); ---- src/lib/crypto/yarrow/ycipher.c -+++ src/lib/crypto/yarrow/ycipher.c 2006/06/21 10:56:48 -@@ -74,7 +74,7 @@ - const struct krb5_enc_provider *enc = &yarrow_enc_provider; - ind.data = (char *) in; - ind.length = CIPHER_BLOCK_SIZE; -- outd.data = out; -+ outd.data = (char*)out; - outd.length = CIPHER_BLOCK_SIZE; - ret = enc->encrypt (&ctx->key, 0, &ind, &outd); - if (ret) diff --git a/warning-fix-lib-crypto.dif b/warning-fix-lib-crypto.dif deleted file mode 100644 index 369c087..0000000 --- a/warning-fix-lib-crypto.dif +++ /dev/null @@ -1,76 +0,0 @@ -# warning fix for: -# old_api_glue.c: In function 'krb5_encrypt': -# old_api_glue.c:49: warning: assignment discards qualifiers from pointer target type -# old_api_glue.c: In function 'krb5_decrypt': -# old_api_glue.c:85: warning: assignment discards qualifiers from pointer target type -# old_api_glue.c: In function 'krb5_calculate_checksum': -# old_api_glue.c:206: warning: assignment discards qualifiers from pointer target type -# old_api_glue.c:210: warning: assignment discards qualifiers from pointer target type -# old_api_glue.c: In function 'krb5_verify_checksum': -# old_api_glue.c:242: warning: assignment discards qualifiers from pointer target type -# old_api_glue.c:246: warning: assignment discards qualifiers from pointer target type -# -# pbkdf2.c:86: warning: pointer targets in assignment differ in signedness -# -# prng.c:33: warning: 'init_error' defined but not used -# ---- src/lib/crypto/old_api_glue.c -+++ src/lib/crypto/old_api_glue.c 2006/06/21 10:23:07 -@@ -46,7 +46,7 @@ - - /* size is the length of the input cleartext data */ - inputd.length = size; -- inputd.data = inptr; -+ inputd.data = (char*)inptr; - - /* The size of the output buffer isn't part of the old api. Not too - safe. So, we assume here that it's big enough. */ -@@ -82,7 +82,7 @@ - /* size is the length of the input ciphertext data */ - inputd.enctype = eblock->key->enctype; - inputd.ciphertext.length = size; -- inputd.ciphertext.data = inptr; -+ inputd.ciphertext.data = (char*)inptr; - - /* we don't really know how big this is, but the code tends to assume - that the output buffer size should be the same as the input -@@ -203,11 +203,11 @@ - krb5_error_code ret; - krb5_checksum cksum; - -- input.data = in; -+ input.data = (char*)in; - input.length = in_length; - - key.length = seed_length; -- key.contents = seed; -+ key.contents = (krb5_octet*)seed; - - if ((ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum))) - return(ret); -@@ -239,11 +239,11 @@ - krb5_error_code ret; - krb5_boolean valid; - -- input.data = in; -+ input.data = (char*)in; - input.length = in_length; - - key.length = seed_length; -- key.contents = seed; -+ key.contents = (krb5_octet*)seed; - - if ((ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum, - &valid))) ---- src/lib/crypto/pbkdf2.c -+++ src/lib/crypto/pbkdf2.c 2006/06/21 10:25:54 -@@ -83,7 +83,7 @@ - krb5_data out; - krb5_error_code err; - -- pdata.contents = pass->data; -+ pdata.contents = (krb5_octet*) pass->data; - pdata.length = pass->length; - - #if 0 -