rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/krb5?expand=0&rev=41

Browse Source
This commit is contained in:
OBS User unknown 2009-07-08 17:41:43 +00:00 committed by Git OBS Bridge
parent 4da4b4f6fa
commit 7b77761d5a
51 changed files with 1901 additions and 5899 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
EncryptWithMasterKey.c
View File

@ -1,215 +0,0 @@
#include <com_err.h>
#include <krb5.h>
#include <stdio.h>
#include <string.h>
#include <errno.h>
#define krb5_kdb_decode_int16(cp, i16) \
*((krb5_int16 *) &(i16)) = (((krb5_int16) ((unsigned char) (cp)[0]))| \
((krb5_int16) ((unsigned char) (cp)[1]) << 8))
#define encode_int16(i16, cp) \
{ \
(cp)[0] = (unsigned char) ((i16) & 0xff); \
(cp)[1] = (unsigned char) (((i16) >> 8) & 0xff); \
}
krb5_error_code
krb5_db_fetch_mkey(krb5_context context,
krb5_enctype etype,
char *keyfile,
krb5_keyblock * key)
{
krb5_error_code retval;
/* from somewhere else */
krb5_ui_2 enctype;
FILE *kf;
retval = 0;
key->magic = KV5M_KEYBLOCK;
if (!(kf = fopen(keyfile, "r")))
return KRB5_KDB_CANTREAD_STORED;
if (fread((krb5_pointer) &enctype, 2, 1, kf) != 1) {
retval = KRB5_KDB_CANTREAD_STORED;
goto errout;
}
if (key->enctype == ENCTYPE_UNKNOWN)
key->enctype = enctype;
else if (enctype != key->enctype) {
retval = KRB5_KDB_BADSTORED_MKEY;
goto errout;
}
if (fread((krb5_pointer) &key->length,
sizeof(key->length), 1, kf) != 1) {
retval = KRB5_KDB_CANTREAD_STORED;
goto errout;
}
if (!key->length || ((int) key->length) < 0) {
retval = KRB5_KDB_BADSTORED_MKEY;
goto errout;
}
if (!(key->contents = (krb5_octet *)malloc(key->length))) {
retval = ENOMEM;
goto errout;
}
if (fread((krb5_pointer) key->contents,
sizeof(key->contents[0]), key->length, kf)
!= key->length) {
retval = KRB5_KDB_CANTREAD_STORED;
memset(key->contents, 0, key->length);
free(key->contents);
key->contents = 0;
} else
retval = 0;
errout:
(void) fclose(kf);
return retval;
}
static int
read_octet_string(char *str, krb5_octet *buf, size_t len)
{
int c;
int i, retval;
char *s;
s = str;
retval = 0;
for (i=0; i<len; i++) {
if (sscanf(s, "%02x", &c) != 1) {
retval = 1;
free(s);
break;
}
buf[i] = (krb5_octet) c;
if(i+1 < len) {
s++;
s++;
}
}
s = NULL;
return(retval);
}
void usage()
{
fprintf(stderr, "Usage: "
"EncryptWithMasterKey -sf stashfilename -d data [-e enctype]\n"
"\t [-sf stashfilename] \n"
"\t [-d the data to encrypt]\n"
"\t [-e encryption type of the master key] (default des3-cbc-sha1)\n\n"
"\t valid enctypes are:\n\n"
"\t des-cbc-crc, des-cbc-md4, des-cbc-md5, des, des-cbc-raw,\n"
"\t des3-cbc-raw, des3-cbc-sha1, des3-hmac-sha1, des3-cbc-sha1-kd,\n"
"\t des-hmac-sha1, arcfour-hmac, rc4-hmac, arcfour-hmac-md5,\n"
"\t arcfour-hmac-exp, rc4-hmac-exp, arcfour-hmac-md5-exp,\n"
"\t aes128-cts-hmac-sha1-96, aes128-cts, aes256-cts-hmac-sha1-96,\n"
"\t aes256-cts\n");
exit(1);
}
#define ARG_VAL (--argc > 0 ? (koptarg = *(++argv)) : (char *)(usage(), NULL))
int main(int argc, char *argv[])
{
krb5_context context;
krb5_error_code retval;
krb5_keyblock master_keyblock;
krb5_data plain;
krb5_enc_data cipher;
size_t plainlen = 0;
size_t enclen = 0;
char *koptarg;
char *stashfile = NULL;
char *data = NULL;
int i = 0;
master_keyblock.enctype = ENCTYPE_DES3_CBC_SHA1;
argv++; argc--;
while (*argv) {
if (strcmp(*argv, "-sf") == 0 && ARG_VAL) {
stashfile = koptarg;
} else if (strcmp(*argv, "-d") == 0 && ARG_VAL) {
data = koptarg;
} else if (strcmp(*argv, "-e") == 0 && ARG_VAL) {
if (krb5_string_to_enctype(koptarg, &master_keyblock.enctype))
{
com_err(argv[0], 0, "%s is an invalid enctype", koptarg);
usage();
}
} else {
usage();
}
argv++; argc--;
}
if (data == NULL || stashfile == NULL)
usage();
retval = krb5_init_context(&context);
if( retval )
{
com_err(argv[0], retval, "while initializing krb5_context");
exit(1);
}
retval = krb5_db_fetch_mkey(context,
master_keyblock.enctype,
stashfile,
&master_keyblock);
if( retval )
{
com_err(argv[0], retval, "while fetching master key");
exit(1);
}
plainlen = strlen(data)/2;
plain.data = (char *) malloc(plainlen);
plain.length = plainlen;
read_octet_string(data, (krb5_octet*)plain.data, plainlen);
retval = krb5_c_encrypt_length(context,
master_keyblock.enctype,
plain.length, &enclen);
if( retval )
{
com_err(argv[0], retval, "while calculating cipher data length");
exit(1);
}
cipher.ciphertext.data = (char *) malloc(enclen);
cipher.ciphertext.length = enclen;
retval = krb5_c_encrypt(context, &master_keyblock, /* XXX */ 0, 0,
&plain, &cipher);
if( retval )
{
com_err(argv[0], retval, "while encrypting data");
exit(1);
}
/* first print out the length of the decrypted hash */
char l[2];
encode_int16((unsigned int)plainlen, l);
printf("%02x%02x", l[0], l[1]);
/* now print the encrypted key */
for(i = 0; i < cipher.ciphertext.length; ++i)
{
printf("%02x",(unsigned char)cipher.ciphertext.data[i]);
}
printf("\n");
return 0;
}

23
Makefile.kadm5
View File

@ -1,23 +0,0 @@
.SUFFIXES: .tex .dvi .ps
all:
latex adb-unit-test.tex
latex api-funcspec.tex
latex api-server-design.tex
latex api-unit-test.tex
dvips adb-unit-test.dvi -o adb-unit-test.ps
dvips api-funcspec.dvi -o api-funcspec.ps
dvips api-server-design.dvi -o api-server-design.ps
dvips api-unit-test.dvi -o api-unit-test.ps
latex2html -dir ../html/adb-unit-test -mkdir adb-unit-test.tex
latex2html -dir ../html/api-funcspec -mkdir api-funcspec.tex
latex2html -dir ../html/api-server-design -mkdir api-server-design.tex
latex2html -dir ../html/api-unit-test -mkdir api-unit-test.tex
clean:
rm -f *.toc *.log *.idx *.ind *.aux *.ilg
really-clean: clean
rm -f *.dvi *.ps

4
baselibs.conf
View File

@ -1,4 +0,0 @@
krb5
obsoletes "heimdal-lib-<targettype>"
provides "heimdal-lib-<targettype>"
krb5-devel

13
gssapi_improve_errormessages.dif
View File

@ -1,13 +0,0 @@
Index: krb5-1.6.3/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- krb5-1.6.3.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ krb5-1.6.3/src/lib/gssapi/generic/disp_com_err_status.c
@@ -56,7 +56,7 @@ g_display_com_err_status(minor_status, s
(void) gssint_initialize_library();
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((int)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);

26
kprop-use-mkstemp.dif
View File

@ -1,26 +0,0 @@
--- src/slave/kprop.c
+++ src/slave/kprop.c 2006/06/21 12:38:34
@@ -215,6 +215,7 @@
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
/*
* Figure out what tickets we'll be using to send stuff
@@ -240,7 +241,15 @@
/*
* Initialize cache file which we're going to be using
*/
+#ifdef HAVE_MKSTEMP
+ ret = mkstemp(tkstring);
+ if (ret == -1) {
+ com_err(progname, errno, "while initialize cache file");
+ exit(1);
+ } else close(ret);
+#else
(void) mktemp(tkstring);
+#endif
sprintf(buf, "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);

50
krb5-1.3.3-rcp-markus.dif
View File

@ -1,50 +0,0 @@
Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
Index: krb5-1.6.3/src/appl/bsd/krcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/krcp.c
+++ krb5-1.6.3/src/appl/bsd/krcp.c
@@ -1096,6 +1096,10 @@ void sink(argc, argv)
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
@@ -1109,6 +1113,8 @@ void sink(argc, argv)
nambuf[sizeof(nambuf) - 1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;
Index: krb5-1.6.3/src/appl/bsd/v4rcp.c
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/v4rcp.c
+++ krb5-1.6.3/src/appl/bsd/v4rcp.c
@@ -807,6 +807,10 @@ void sink(argc, argv)
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
(void) sprintf(nambuf, "%s%s%s", targ,
@@ -823,6 +827,8 @@ void sink(argc, argv)
nambuf[sizeof(nambuf)-1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;

28
krb5-1.4-fix-segfault.dif
View File

@ -1,28 +0,0 @@
Index: src/lib/krb5/krb/princ_comp.c
===================================================================
--- src/lib/krb5/krb/princ_comp.c.orig
+++ src/lib/krb5/krb/princ_comp.c
@@ -33,6 +33,13 @@
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
{
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((krb5_princ_realm(context, princ1) == NULL) ||
+ (krb5_princ_realm(context, princ2) == NULL))
+ return FALSE;
+
if (krb5_princ_realm(context, princ1)->length !=
krb5_princ_realm(context, princ2)->length ||
memcmp (krb5_princ_realm(context, princ1)->data,
@@ -49,6 +56,9 @@ krb5_principal_compare(krb5_context cont
register int i;
krb5_int32 nelem;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
nelem = krb5_princ_size(context, princ1);
if (nelem != krb5_princ_size(context, princ2))
return FALSE;

20
krb5-1.4.3-enospc.dif
View File

@ -1,21 +1,13 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
Index: krb5-1.6.3/src/clients/kinit/kinit.c
Index: trunk/src/clients/kinit/kinit.c
===================================================================
--- krb5-1.6.3.orig/src/clients/kinit/kinit.c
+++ krb5-1.6.3/src/clients/kinit/kinit.c
@@ -35,6 +35,7 @@
#else
#undef HAVE_KRB524
#endif
+#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
@@ -921,8 +922,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
--- trunk.orig/src/clients/kinit/kinit.c
+++ trunk/src/clients/kinit/kinit.c
@@ -658,8 +658,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc,
opts->canonicalize ? my_creds.client : k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");

2
krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
View File

@ -2,7 +2,7 @@ Index: src/appl/gssftp/ftp/ftp.c
===================================================================
--- src/appl/gssftp/ftp/ftp.c.orig
+++ src/appl/gssftp/ftp/ftp.c
@@ -1986,7 +1986,7 @@ int do_auth()
@@ -1912,7 +1912,7 @@ int do_auth()
#ifdef GSSAPI
if (command("AUTH %s", "GSSAPI") == CONTINUE) {

20
krb5-1.5.1-fix-strncat-warning.dif
View File

@ -1,20 +0,0 @@
--- src/lib/krb4/g_cnffile.c
+++ src/lib/krb4/g_cnffile.c 2006/10/30 11:12:26
@@ -68,7 +68,7 @@
&full_name);
if (retval == 0 && full_name && full_name[0]) {
retname[0] = '\0';
- strncat(retname, full_name[0], sizeof(retname));
+ strncat(retname, full_name[0], sizeof(retname)-strlen(retname)-1);
for (cpp = full_name; *cpp; cpp++)
krb5_xfree(*cpp);
krb5_xfree(full_name);
@@ -76,7 +76,7 @@
}
}
retname[0] = '\0';
- strncat(retname, default_srvtabname, sizeof(retname));
+ strncat(retname, default_srvtabname, sizeof(retname)-strlen(retname)-1);
return retname;
}

22
krb5-1.5.1-fix-too-few-arguments.dif
View File

@ -1,22 +0,0 @@
Index: src/kadmin/dbutil/dump.c
===================================================================
--- src/kadmin/dbutil/dump.c.orig
+++ src/kadmin/dbutil/dump.c
@@ -2028,7 +2028,7 @@ process_k5beta7_record(fname, kcontext,
linenop);
else if (strcmp(rectype, "policy") == 0)
process_k5beta7_policy(fname, kcontext, filep, verbose,
- linenop);
+ linenop, NULL);
else {
fprintf(stderr, "unknown record type \"%s\" on line %d\n",
rectype, *linenop);
@@ -2064,7 +2064,7 @@ process_ov_record(fname, kcontext, filep
linenop);
else if (strcmp(rectype, "policy") == 0)
process_k5beta7_policy(fname, kcontext, filep, verbose,
- linenop);
+ linenop, NULL);
else if (strcmp(rectype, "End") == 0)
return -1;
else {

336
krb5-1.6-MITKRB5-SA-2008-001.dif
View File

@ -1,336 +0,0 @@
Index: krb5-1.6.2/src/kdc/dispatch.c
===================================================================
--- krb5-1.6.2.orig/src/kdc/dispatch.c
+++ krb5-1.6.2/src/kdc/dispatch.c
@@ -1,7 +1,7 @@
/*
* kdc/dispatch.c
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -107,7 +107,7 @@ dispatch(krb5_data *pkt, const krb5_full
retval = KRB5KRB_AP_ERR_MSG_TYPE;
#ifndef NOCACHE
/* put the response into the lookaside buffer */
- if (!retval)
+ if (!retval && *response != NULL)
kdc_insert_lookaside(pkt, *response);
#endif
Index: krb5-1.6.2/src/kdc/kerberos_v4.c
===================================================================
--- krb5-1.6.2.orig/src/kdc/kerberos_v4.c
+++ krb5-1.6.2/src/kdc/kerberos_v4.c
@@ -1,7 +1,7 @@
/*
* kdc/kerberos_v4.c
*
- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute
+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute
* of Technology.
* All Rights Reserved.
*
@@ -87,11 +87,6 @@ extern int krbONE;
#define MSB_FIRST 0 /* 68000, IBM RT/PC */
#define LSB_FIRST 1 /* Vax, PC8086 */
-int f;
-
-/* XXX several files in libkdb know about this */
-char *progname;
-
#ifndef BACKWARD_COMPAT
static Key_schedule master_key_schedule;
static C_Block master_key;
@@ -143,10 +138,8 @@ static void hang(void);
#include "com_err.h"
#include "extern.h" /* to pick up master_princ */
-static krb5_data *response;
-
-void kerberos_v4 (struct sockaddr_in *, KTEXT);
-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);
+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
/* Attributes converted from V5 to V4 - internal representation */
@@ -262,12 +255,12 @@ process_v4(const krb5_data *pkt, const k
(void) klog(L_KRB_PERR, "V4 request too long.");
return KRB5KRB_ERR_FIELD_TOOLONG;
}
+ memset( &v4_pkt, 0, sizeof(v4_pkt));
v4_pkt.length = pkt->length;
v4_pkt.mbz = 0;
memcpy( v4_pkt.dat, pkt->data, pkt->length);
- kerberos_v4( &client_sockaddr, &v4_pkt);
- *resp = response;
+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt);
return(retval);
}
@@ -300,19 +293,20 @@ char * v4_klog( int type, const char *fo
}
static
-int krb4_sendto(int s, const char *msg, int len, int flags,
- const struct sockaddr *to, int to_len)
+krb5_data *make_response(const char *msg, int len)
{
+ krb5_data *response;
+
if ( !(response = (krb5_data *) malloc( sizeof *response))) {
- return ENOMEM;
+ return 0;
}
if ( !(response->data = (char *) malloc( len))) {
krb5_free_data(kdc_context, response);
- return ENOMEM;
+ return 0;
}
response->length = len;
memcpy( response->data, msg, len);
- return( 0);
+ return response;
}
static void
hang(void)
@@ -586,7 +580,7 @@ static void str_length_check(char *str,
*cp = 0;
}
-void
+static krb5_data *
kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
{
static KTEXT_ST rpkt_st;
@@ -599,7 +593,7 @@ kerberos_v4(struct sockaddr_in *client,
KTEXT auth = &auth_st;
AUTH_DAT ad_st;
AUTH_DAT *ad = &ad_st;
-
+ krb5_data *response = 0;
static struct in_addr client_host;
static int msg_byte_order;
@@ -637,8 +631,7 @@ kerberos_v4(struct sockaddr_in *client,
inet_ntoa(client_host));
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
}
/* check packet version */
@@ -648,8 +641,7 @@ kerberos_v4(struct sockaddr_in *client,
KRB_PROT_VERSION, req_version, 0);
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
}
msg_byte_order = req_msg_type & 1;
@@ -707,10 +699,10 @@ kerberos_v4(struct sockaddr_in *client,
if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
&a_name_data, &k5key, 0, &ck5life))) {
- kerb_err_reply(client, pkt, i, "check_princ failed");
+ response = kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_low = a_name_data.key_high = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* don't use k5key for client */
krb5_free_keyblock_contents(kdc_context, &k5key);
@@ -722,11 +714,11 @@ kerberos_v4(struct sockaddr_in *client,
/* this does all the checking */
if ((i = check_princ(service, instance, lifetime,
&s_name_data, &k5key, 1, &sk5life))) {
- kerb_err_reply(client, pkt, i, "check_princ failed");
+ response = kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_high = a_name_data.key_low = 0;
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* Bound requested lifetime with service and user */
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
@@ -797,8 +789,7 @@ kerberos_v4(struct sockaddr_in *client,
rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
a_name_data.key_version, ciph);
- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
+ response = make_response((char *) rpkt->dat, rpkt->length);
memset(&a_name_data, 0, sizeof(a_name_data));
memset(&s_name_data, 0, sizeof(s_name_data));
break;
@@ -824,9 +815,8 @@ kerberos_v4(struct sockaddr_in *client,
lt = klog(L_KRB_PERR,
"APPL request with realm length too long from %s",
inet_ntoa(client_host));
- kerb_err_reply(client, pkt, RD_AP_INCON,
- "realm length too long");
- return;
+ return kerb_err_reply(client, pkt, RD_AP_INCON,
+ "realm length too long");
}
auth->length += (int) *(pkt->dat + auth->length) +
@@ -835,9 +825,8 @@ kerberos_v4(struct sockaddr_in *client,
lt = klog(L_KRB_PERR,
"APPL request with funky tkt or req_id length from %s",
inet_ntoa(client_host));
- kerb_err_reply(client, pkt, RD_AP_INCON,
- "funky tkt or req_id length");
- return;
+ return kerb_err_reply(client, pkt, RD_AP_INCON,
+ "funky tkt or req_id length");
}
memcpy(auth->dat, pkt->dat, auth->length);
@@ -848,18 +837,16 @@ kerberos_v4(struct sockaddr_in *client,
if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
lt = klog(L_ERR_UNK,
"Cross realm ticket from %s denied by policy,", tktrlm);
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
if (set_tgtkey(tktrlm, kvno, 0)) {
- lt = klog(L_ERR_UNK,
+ lt = klog(L_ERR_UNK,
"FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
@@ -869,9 +856,8 @@ kerberos_v4(struct sockaddr_in *client,
"FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
@@ -881,8 +867,7 @@ kerberos_v4(struct sockaddr_in *client,
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
inet_ntoa(client_host), krb_get_err_text(kerno));
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
- return;
+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
}
ptr = (char *) pkt->dat + auth->length;
@@ -904,22 +889,21 @@ kerberos_v4(struct sockaddr_in *client,
req_realm_ptr = ad->prealm;
if (strcmp(ad->prealm, tktrlm)) {
- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't hop realms");
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+ "Can't hop realms");
}
if (!strcmp(service, "changepw")) {
- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't authorize password changed based on TGT");
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+ "Can't authorize password changed based on TGT");
}
kerno = check_princ(service, instance, req_life,
&s_name_data, &k5key, 1, &sk5life);
if (kerno) {
- kerb_err_reply(client, pkt, kerno, "check_princ failed");
+ response = kerb_err_reply(client, pkt, kerno,
+ "check_princ failed");
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
@@ -975,8 +959,7 @@ kerberos_v4(struct sockaddr_in *client,
rpkt = create_auth_reply(ad->pname, ad->pinst,
ad->prealm, time_ws,
0, 0, 0, ciph);
- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
+ response = make_response((char *) rpkt->dat, rpkt->length);
memset(&s_name_data, 0, sizeof(s_name_data));
break;
}
@@ -1001,6 +984,7 @@ kerberos_v4(struct sockaddr_in *client,
break;
}
}
+ return response;
}
@@ -1010,7 +994,7 @@ kerberos_v4(struct sockaddr_in *client,
* client.
*/
-void
+static krb5_data *
kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)
{
static KTEXT_ST e_pkt_st;
@@ -1021,9 +1005,7 @@ kerb_err_reply(struct sockaddr_in *clien
strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
req_time_ws, err, e_msg);
- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
-
+ return make_response((char *) e_pkt->dat, e_pkt->length);
}
static int
Index: krb5-1.6.2/src/kdc/network.c
===================================================================
--- krb5-1.6.2.orig/src/kdc/network.c
+++ krb5-1.6.2/src/kdc/network.c
@@ -1,7 +1,7 @@
/*
* kdc/network.c
*
- * Copyright 1990,2000 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -747,6 +747,8 @@ static void process_packet(struct connec
com_err(prog, retval, "while dispatching (udp)");
return;
}
+ if (response == NULL)
+ return;
cc = sendto(port_fd, response->data, (socklen_t) response->length, 0,
(struct sockaddr *)&saddr, saddr_len);
if (cc == -1) {

76
krb5-1.6-MITKRB5-SA-2008-002.dif
View File

@ -1,76 +0,0 @@
=== src/lib/rpc/svc.c
==================================================================
Index: src/lib/rpc/svc.c
===================================================================
--- src/lib/rpc/svc.c.orig
+++ src/lib/rpc/svc.c
@@ -109,15 +109,17 @@ xprt_register(SVCXPRT *xprt)
if (sock < FD_SETSIZE) {
xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
#else
if (sock < NOFILE) {
xports[sock] = xprt;
svc_fds |= (1 << sock);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
#endif /* def FD_SETSIZE */
- if (sock > svc_maxfd)
- svc_maxfd = sock;
}
/*
Index: src/lib/rpc/svc_tcp.c
===================================================================
--- src/lib/rpc/svc_tcp.c.orig
+++ src/lib/rpc/svc_tcp.c
@@ -53,6 +53,14 @@ static char sccsid[] = "@(#)svc_tcp.c 1.
extern errno;
*/
+#ifndef FD_SETSIZE
+#ifdef NBBY
+#define NOFILE (sizeof(int) * NBBY)
+#else
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
/*
* Ops vector for TCP/IP based rpc service handle
*/
@@ -213,6 +221,19 @@ makefd_xprt(
register SVCXPRT *xprt;
register struct tcp_conn *cd;
+#ifdef FD_SETSIZE
+ if (fd >= FD_SETSIZE) {
+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+ xprt = NULL;
+ goto done;
+ }
+#else
+ if (fd >= NOFILE) {
+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+ xprt = NULL;
+ goto done;
+ }
+#endif
xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
if (xprt == (SVCXPRT *)NULL) {
(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
@@ -268,6 +289,10 @@ rendezvous_request(
* make a new transporter (re-uses xprt)
*/
xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
+ if (xprt == NULL) {
+ close(sock);
+ return (FALSE);
+ }
xprt->xp_raddr = addr;
xprt->xp_addrlen = len;
xprt->xp_laddr = laddr;

13
krb5-1.6-fix-CVE-2007-5894.dif
View File

@ -1,13 +0,0 @@
Index: src/appl/gssftp/ftpd/ftpd.c
===================================================================
--- src/appl/gssftp/ftpd/ftpd.c.orig
+++ src/appl/gssftp/ftpd/ftpd.c
@@ -1823,7 +1823,7 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5)
* radix_encode, gss_seal, plus slop.
*/
char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2];
- int length, kerror;
+ int length = 0, kerror;
if (n) sprintf(in, "%d%c", n, cont_char);
else in[0] = '\0';
strncat(in, buf, sizeof (in) - strlen(in) - 1);

13
krb5-1.6-fix-CVE-2007-5902.dif
View File

@ -1,13 +0,0 @@
Index: src/lib/rpc/svc_auth_gss.c
===================================================================
--- src/lib/rpc/svc_auth_gss.c.orig
+++ src/lib/rpc/svc_auth_gss.c
@@ -671,7 +671,7 @@ svcauth_gss_get_principal(SVCAUTH *auth)
gd = SVCAUTH_PRIVATE(auth);
- if (gd->cname.length == 0)
+ if (gd->cname.length == 0 || gd->cname.length >= SIZE_MAX)
return (NULL);
if ((pname = malloc(gd->cname.length + 1)) == NULL)

25
krb5-1.6-fix-CVE-2007-5971.dif
View File

@ -1,25 +0,0 @@
Index: src/lib/gssapi/krb5/k5sealv3.c
===================================================================
--- src/lib/gssapi/krb5/k5sealv3.c.orig
+++ src/lib/gssapi/krb5/k5sealv3.c
@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con
plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- free(outbuf);
goto error;
}
if (sum.length != ctx->cksum_size)
Index: src/lib/gssapi/mechglue/g_initialize.c
===================================================================
--- src/lib/gssapi/mechglue/g_initialize.c.orig
+++ src/lib/gssapi/mechglue/g_initialize.c
@@ -208,7 +208,7 @@ gss_OID_set *mechSet;
free((*mechSet)->elements[j].elements);
}
free((*mechSet)->elements);
- free(mechSet);
+ free(*mechSet);
*mechSet = NULL;
return (GSS_S_FAILURE);
}

14
krb5-1.6-fix-CVE-2007-5972.dif
View File

@ -1,14 +0,0 @@
Index: src/lib/kdb/kdb_default.c
===================================================================
--- src/lib/kdb/kdb_default.c.orig
+++ src/lib/kdb/kdb_default.c
@@ -185,8 +185,7 @@ krb5_def_store_mkey(context, keyfile, mn
kf) != key->length)) {
retval = errno;
(void) fclose(kf);
- }
- if (fclose(kf) == EOF)
+ } else if (fclose(kf) == EOF)
retval = errno;
#if HAVE_UMASK
(void) umask(oumask);

22
krb5-1.6-ldap-man.dif
View File

@ -1,22 +0,0 @@
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M (revision 19507)
+++ src/config-files/krb5.conf.M (working copy)
@@ -600,7 +600,7 @@
objects used for starting the Kerberos servers. This value is used if no
service password file is mentioned in the configuration section under dbmodules.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.
This value is used if no LDAP servers are mentioned in the configuration
@@ -641,7 +641,7 @@
This LDAP specific tag indicates the file containing the stashed passwords for the
objects used for starting the Kerberos servers.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.

16
krb5-1.6.1-compile_pie.dif
View File

@ -2,7 +2,7 @@ Index: src/krb5-config.in
===================================================================
--- src/krb5-config.in.orig
+++ src/krb5-config.in
@@ -186,6 +186,8 @@ if test -n "$do_libs"; then
@@ -188,6 +188,8 @@ if test -n "$do_libs"; then
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
@ -15,13 +15,13 @@ Index: src/config/shlib.conf
===================================================================
--- src/config/shlib.conf.orig
+++ src/config/shlib.conf
@@ -378,7 +378,8 @@ mips-*-netbsd*)
SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
@@ -420,7 +420,8 @@ mips-*-netbsd*)
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) -pie $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; '
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'

14
krb5-1.6.1-init-salt-length.dif
View File

@ -1,14 +0,0 @@
Index: src/lib/krb5/asn.1/ldap_key_seq.c
===================================================================
--- src/lib/krb5/asn.1/ldap_key_seq.c.orig
+++ src/lib/krb5/asn.1/ldap_key_seq.c
@@ -341,7 +341,8 @@ static asn1_error_code asn1_decode_key(a
if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */
ret = decode_tagged_octetstring (&slt, 1, &keylen,
&key->key_data_contents[1]); checkerr;
- }
+ } else
+ keylen = 0;
safe_syncbuf (&subbuf, &slt);
key->key_data_length[1] = keylen; /* XXX range check?? */

111
krb5-1.6.3-case-insensitive.dif
View File

@ -1,111 +0,0 @@
Index: src/include/k5-int.h
===================================================================
--- src/include/k5-int.h.orig
+++ src/include/k5-int.h
@@ -1253,6 +1253,11 @@ struct _krb5_context {
#define KRB5_LIBOPT_SYNC_KDCTIME 0x0001
+#ifdef __CI_PRINC__
+#define KRB5_LIBOPT_CASE_INSENSITIVE 0x0002
+#define KRB5_LIBOPT_RD_REQ_TRY_HOST_SPN 0x0004
+#endif
+
/* internal message representations */
typedef struct _krb5_safe {
Index: src/lib/krb5/krb/init_ctx.c
===================================================================
--- src/lib/krb5/krb/init_ctx.c.orig
+++ src/lib/krb5/krb/init_ctx.c
@@ -222,6 +222,16 @@ init_common (krb5_context *context, krb5
&tmp);
ctx->library_options = tmp ? KRB5_LIBOPT_SYNC_KDCTIME : 0;
+#ifdef __CI_PRINC__
+#define DEFAULT_CASE_SENSITIVE 1
+ profile_get_boolean(ctx->profile, "libdefaults",
+ "case_sensitive", 0, DEFAULT_CASE_SENSITIVE,
+ &tmp);
+ if (tmp == 0)
+ ctx->library_options |= KRB5_LIBOPT_CASE_INSENSITIVE;
+
+#endif /* __CI_PRINC__ */
+
/*
* We use a default file credentials cache of 3. See
* lib/krb5/krb/ccache/file/fcc.h for a description of the
Index: src/lib/krb5/krb/princ_comp.c
===================================================================
--- src/lib/krb5/krb/princ_comp.c.orig
+++ src/lib/krb5/krb/princ_comp.c
@@ -33,13 +33,35 @@
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
{
+ krb5_boolean ret;
+
if ((princ1 == NULL) || (princ2 == NULL))
return FALSE;
if ((krb5_princ_realm(context, princ1) == NULL) ||
(krb5_princ_realm(context, princ2) == NULL))
return FALSE;
+#ifdef __CI_PRINC__
+ /* XXX this needs to be Unicode-aware */
+
+ if (krb5_princ_realm(context, princ1)->length !=
+ krb5_princ_realm(context, princ2)->length) {
+ /* NB this test won't be necessarily correct for UTF-8 */
+ return FALSE;
+ }
+
+ if (context->library_options & KRB5_LIBOPT_CASE_INSENSITIVE) {
+ ret = (strncasecmp (krb5_princ_realm(context, princ1)->data,
+ krb5_princ_realm(context, princ2)->data,
+ krb5_princ_realm(context, princ2)->length) == 0);
+ } else {
+ ret = (memcmp (krb5_princ_realm(context, princ1)->data,
+ krb5_princ_realm(context, princ2)->data,
+ krb5_princ_realm(context, princ2)->length) == 0);
+ }
+ return ret;
+#else
if (krb5_princ_realm(context, princ1)->length !=
krb5_princ_realm(context, princ2)->length ||
memcmp (krb5_princ_realm(context, princ1)->data,
@@ -48,6 +70,7 @@ krb5_realm_compare(krb5_context context,
return FALSE;
return TRUE;
+#endif /* __CI_PRINC__ */
}
krb5_boolean KRB5_CALLCONV
@@ -69,9 +92,25 @@ krb5_principal_compare(krb5_context cont
for (i = 0; i < (int) nelem; i++) {
register const krb5_data *p1 = krb5_princ_component(context, princ1, i);
register const krb5_data *p2 = krb5_princ_component(context, princ2, i);
+#ifdef __CI_PRINC__
+ /* XXX this needs to be Unicode-aware */
+ krb5_boolean ret;
+
+ if (p1->length != p2->length)
+ return FALSE;
+
+ if (context->library_options & KRB5_LIBOPT_CASE_INSENSITIVE)
+ ret = (strncasecmp(p1->data, p2->data, p1->length) == 0);
+ else
+ ret = (memcmp(p1->data, p2->data, p1->length) == 0);
+
+ if (ret == FALSE)
+ return ret;
+#else
if (p1->length != p2->length ||
memcmp(p1->data, p2->data, p1->length))
return FALSE;
+#endif /* __CI_PRINC__ */
}
return TRUE;
}

35
krb5-1.6.3-fix-ipv6-query.dif
View File

@ -1,7 +1,7 @@
Index: krb5-1.6.3/src/lib/krb5/os/hostaddr.c
Index: trunk/src/lib/krb5/os/hostaddr.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/os/hostaddr.c
+++ krb5-1.6.3/src/lib/krb5/os/hostaddr.c
--- trunk.orig/src/lib/krb5/os/hostaddr.c
+++ trunk/src/lib/krb5/os/hostaddr.c
@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
@ -11,11 +11,11 @@ Index: krb5-1.6.3/src/lib/krb5/os/hostaddr.c
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: krb5-1.6.3/src/lib/krb5/os/hst_realm.c
Index: trunk/src/lib/krb5/os/hst_realm.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/os/hst_realm.c
+++ krb5-1.6.3/src/lib/krb5/os/hst_realm.c
@@ -167,7 +167,7 @@ krb5int_get_fq_hostname (char *buf, size
--- trunk.orig/src/lib/krb5/os/hst_realm.c
+++ trunk/src/lib/krb5/os/hst_realm.c
@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size
int err;
memset (&hints, 0, sizeof (hints));
@ -24,10 +24,10 @@ Index: krb5-1.6.3/src/lib/krb5/os/hst_realm.c
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: krb5-1.6.3/src/lib/krb5/os/locate_kdc.c
Index: trunk/src/lib/krb5/os/locate_kdc.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/os/locate_kdc.c
+++ krb5-1.6.3/src/lib/krb5/os/locate_kdc.c
--- trunk.orig/src/lib/krb5/os/locate_kdc.c
+++ trunk/src/lib/krb5/os/locate_kdc.c
@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
@ -37,17 +37,18 @@ Index: krb5-1.6.3/src/lib/krb5/os/locate_kdc.c
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
sprintf(portbuf, "%d", ntohs(port));
sprintf(secportbuf, "%d", ntohs(secport));
Index: krb5-1.6.3/src/lib/krb5/os/sn2princ.c
if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf))
/* XXX */
Index: trunk/src/lib/krb5/os/sn2princ.c
===================================================================
--- krb5-1.6.3.orig/src/lib/krb5/os/sn2princ.c
+++ krb5-1.6.3/src/lib/krb5/os/sn2princ.c
@@ -107,6 +107,7 @@ krb5_sname_to_principal(krb5_context con
--- trunk.orig/src/lib/krb5/os/sn2princ.c
+++ trunk/src/lib/krb5/os/sn2princ.c
@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
+ hints.ai_flags = AI_ADDRCONFIG;
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {

13
krb5-1.6.3-gssapi_improve_errormessages.dif Normal file
View File

@ -0,0 +1,13 @@
Index: trunk/src/lib/gssapi/generic/disp_com_err_status.c
===================================================================
--- trunk.orig/src/lib/gssapi/generic/disp_com_err_status.c
+++ trunk/src/lib/gssapi/generic/disp_com_err_status.c
@@ -54,7 +54,7 @@ g_display_com_err_status(minor_status, s
status_string->value = NULL;
if (! g_make_string_buffer(((status_value == 0)?no_error:
- error_message(status_value)),
+ error_message((long)status_value)),
status_string)) {
*minor_status = ENOMEM;
return(GSS_S_FAILURE);

6
krb5-trunk-kpasswd_tcp.patch → krb5-1.6.3-kpasswd_tcp.patch
View File

@ -3,9 +3,9 @@ to wait for UDP to fail, so this might not be ideal. RT #5868.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20199)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -251,11 +251,22 @@
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co
NULL,
NULL
))) {

28
krb5-1.6.3-kprop-use-mkstemp.dif Normal file
View File

@ -0,0 +1,28 @@
Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -215,6 +215,7 @@ void get_tickets(context)
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
/*
* Figure out what tickets we'll be using to send stuff
@@ -240,7 +241,15 @@ void get_tickets(context)
/*
* Initialize cache file which we're going to be using
*/
+#ifdef HAVE_MKSTEMP
+ ret = mkstemp(tkstring);
+ if (ret == -1) {
+ com_err(progname, errno, "while initialize cache file");
+ exit(1);
+ } else close(ret);
+#else
(void) mktemp(tkstring);
+#endif
snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);

3056
krb5-1.6.3-post.dif
View File

File diff suppressed because it is too large Load Diff

2
krb5-1.6.3-rpmlintrc
View File

@ -1,2 +0,0 @@
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")

3
krb5-1.6.3.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:c272bea49a48059f9a31bca38e9d838c9b52d4257ba764aaed24783c24b36173
size 10091032

76
trunk-manpaths.dif → krb5-1.7-manpaths.dif
View File

@ -1,8 +1,8 @@
Index: krb5-1.6.3/src/appl/bsd/klogind.M
Index: trunk/src/appl/bsd/klogind.M
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/klogind.M
+++ krb5-1.6.3/src/appl/bsd/klogind.M
--- trunk.orig/src/appl/bsd/klogind.M
+++ trunk/src/appl/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
@ -12,10 +12,10 @@ Index: krb5-1.6.3/src/appl/bsd/klogind.M
When a service request is received, the following protocol is initiated:
Index: krb5-1.6.3/src/appl/bsd/kshd.M
Index: trunk/src/appl/bsd/kshd.M
===================================================================
--- krb5-1.6.3.orig/src/appl/bsd/kshd.M
+++ krb5-1.6.3/src/appl/bsd/kshd.M
--- trunk.orig/src/appl/bsd/kshd.M
+++ trunk/src/appl/bsd/kshd.M
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
@ -34,10 +34,10 @@ Index: krb5-1.6.3/src/appl/bsd/kshd.M
When a service request is received, the following protocol is initiated:
Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M
Index: trunk/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.6.3.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.6.3/src/appl/sample/sserver/sserver.M
--- trunk.orig/src/appl/sample/sserver/sserver.M
+++ trunk/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
@ -47,10 +47,10 @@ Index: krb5-1.6.3/src/appl/sample/sserver/sserver.M
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8
Index: trunk/src/appl/telnet/telnetd/telnetd.8
===================================================================
--- krb5-1.6.3.orig/src/appl/telnet/telnetd/telnetd.8
+++ krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8
--- trunk.orig/src/appl/telnet/telnetd/telnetd.8
+++ trunk/src/appl/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
@ -60,10 +60,10 @@ Index: krb5-1.6.3/src/appl/telnet/telnetd/telnetd.8
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
Index: krb5-1.6.3/src/config-files/kdc.conf.M
Index: trunk/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.6.3.orig/src/config-files/kdc.conf.M
+++ krb5-1.6.3/src/config-files/kdc.conf.M
--- trunk.orig/src/config-files/kdc.conf.M
+++ trunk/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
@ -81,7 +81,7 @@ Index: krb5-1.6.3/src/config-files/kdc.conf.M
.IP database_name
This
@@ -239,7 +239,7 @@ tickets should be checked against the tr
@@ -257,7 +257,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
@ -90,12 +90,12 @@ Index: krb5-1.6.3/src/config-files/kdc.conf.M
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.6.3/src/configure.in
Index: trunk/src/configure.in
===================================================================
--- krb5-1.6.3.orig/src/configure.in
+++ krb5-1.6.3/src/configure.in
@@ -944,6 +944,73 @@ if false; then
fi
--- trunk.orig/src/configure.in
+++ trunk/src/configure.in
@@ -1041,6 +1041,69 @@ dnl
AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
@ -124,7 +124,6 @@ Index: krb5-1.6.3/src/configure.in
+ appl/bsd/rcp.M
+ appl/bsd/rlogin.M
+ appl/bsd/rsh.M
+ appl/bsd/v4rcp.M
+ appl/gssftp/ftpd/ftpd.M
+ appl/gssftp/ftp/ftp.M
+ appl/sample/sclient/sclient.M
@ -150,10 +149,7 @@ Index: krb5-1.6.3/src/configure.in
+ kadmin/ktutil/ktutil.M
+ kadmin/passwd/kpasswd.M
+ kadmin/server/kadmind.M
+ kdc/fakeka.M
+ kdc/krb5kdc.M
+ krb524/k524init.M
+ krb524/krb524d.M
+ krb5-config.M
+ plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
+ slave/kpropd.M
@ -168,11 +164,11 @@ Index: krb5-1.6.3/src/configure.in
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: krb5-1.6.3/src/kadmin/cli/kadmin.M
Index: trunk/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.6.3.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.6.3/src/kadmin/cli/kadmin.M
@@ -808,9 +808,9 @@ option is specified, less verbose status
--- trunk.orig/src/kadmin/cli/kadmin.M
+++ trunk/src/kadmin/cli/kadmin.M
@@ -840,9 +840,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
@ -184,7 +180,7 @@ Index: krb5-1.6.3/src/kadmin/cli/kadmin.M
kadmin:
.RE
.fi
@@ -852,7 +852,7 @@ passwords.
@@ -884,7 +884,7 @@ passwords.
.SH HISTORY
The
.B kadmin
@ -193,10 +189,10 @@ Index: krb5-1.6.3/src/kadmin/cli/kadmin.M
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: krb5-1.6.3/src/slave/kprop.M
Index: trunk/src/slave/kprop.M
===================================================================
--- krb5-1.6.3.orig/src/slave/kprop.M
+++ krb5-1.6.3/src/slave/kprop.M
--- trunk.orig/src/slave/kprop.M
+++ trunk/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
@ -215,11 +211,11 @@ Index: krb5-1.6.3/src/slave/kprop.M
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: krb5-1.6.3/src/slave/kpropd.M
Index: trunk/src/slave/kpropd.M
===================================================================
--- krb5-1.6.3.orig/src/slave/kpropd.M
+++ krb5-1.6.3/src/slave/kpropd.M
@@ -69,7 +69,7 @@ Normally, kpropd is invoked out of
--- trunk.orig/src/slave/kpropd.M
+++ trunk/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
@ -228,7 +224,7 @@ Index: krb5-1.6.3/src/slave/kpropd.M
However, kpropd can also run as a standalone deamon, if the
.B \-S
@@ -87,13 +87,13 @@ is used.
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP
specifies the filename where the dumped principal database file is to be
stored; by default the dumped database file is KPROPD_DEFAULT_FILE
@ -244,9 +240,9 @@ Index: krb5-1.6.3/src/slave/kpropd.M
.TP
.B \-S
turn on standalone mode. Normally, kpropd is invoked out of
@@ -124,14 +124,14 @@ mode.
@@ -148,14 +148,14 @@ mode.
allows the user to specify the path to the
.KR kpropd.acl
kpropd.acl
file; by default the path used is KPROPD_ACL_FILE
-(normally /usr/local/var/krb5kdc/kpropd.acl).
+(normally @manlocalstatedir@/krb5kdc/kpropd.acl).

4
krb5-trunk-manpaths.txt → krb5-1.7-manpaths.txt
View File

@ -4,7 +4,6 @@ appl/bsd/login.M
appl/bsd/rcp.M
appl/bsd/rlogin.M
appl/bsd/rsh.M
appl/bsd/v4rcp.M
appl/gssftp/ftpd/ftpd.M
appl/gssftp/ftp/ftp.M
appl/sample/sclient/sclient.M
@ -30,10 +29,7 @@ kadmin/dbutil/kdb5_util.M
kadmin/ktutil/ktutil.M
kadmin/passwd/kpasswd.M
kadmin/server/kadmind.M
kdc/fakeka.M
kdc/krb5kdc.M
krb524/k524init.M
krb524/krb524d.M
krb5-config.M
plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M
slave/kpropd.M

6
krb5-1.7-rpmlintrc Normal file
View File

@ -0,0 +1,6 @@
addFilter("devel-file-in-non-devel-package .*libgssapi_krb5.so")
addFilter("hidden-file-or-dir .*/usr/share/man/man5/.k5login.5.gz")
addFilter("files-duplicate .*css")
addFilter("files-duplicate .*img.*png")
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")

3
krb5-1.7.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd
size 10407001

0
krb5-doc-1.6.3-rpmlintrc → krb5-doc-1.7-rpmlintrc
View File

16
krb5-doc.changes
View File

@ -1,3 +1,19 @@
-------------------------------------------------------------------
Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de
- update to final version 1.7
-------------------------------------------------------------------
Wed May 13 11:34:07 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
-------------------------------------------------------------------
Mon Feb 16 13:08:05 CET 2009 - mc@suse.de
- update to pre 1.7 version
* remove outdated documentation for kadm5 API
-------------------------------------------------------------------
Fri Jul 25 12:17:10 CEST 2008 - mc@suse.de

176
krb5-doc.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5-doc (Version 1.6.3)
# spec file for package krb5-doc (Version 1.7)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -20,20 +20,18 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.6.3
Release: 133
%define srcRoot krb5-1.6.3
Version: 1.7
Release: 4
%define srcRoot krb5-1.7
Summary: MIT Kerberos5 Implementation--Documentation
License: X11/MIT
License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
Group: Documentation/Other
Source: krb5-1.6.3.tar.bz2
Source: krb5-%{version}.tar.bz2
Source1: README.Source
Source2: Makefile.kadm5
Source3: %{name}-%{version}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
Patch2: krb5-1.6.3-post.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@ -56,8 +54,6 @@ Authors:
%setup -n %{srcRoot}
%patch0
%patch1
%patch2
cp %{_sourcedir}/Makefile.kadm5 %{_builddir}/%{srcRoot}/doc/kadm5/Makefile
%build
@ -68,17 +64,13 @@ make
make implementor.ps
make -C api
make -C implement
make -C kadm5
cd api
latex2html -dir ../html/library -mkdir library.tex
latex2html -dir ../html/libdes -mkdir libdes.tex
cd ../implement
latex2html -dir ../html/implement -mkdir implement.tex
cd ..
#mv krb5-admin html/
#mv krb5-install html/
#mv krb5-user html/
#mv krb425 html/
#make -C kadm5
#cd api
#latex2html -dir ../html/library -mkdir library.tex
#latex2html -dir ../html/libdes -mkdir libdes.tex
#cd ../implement
#latex2html -dir ../html/implement -mkdir implement.tex
#cd ..
mv *.html html/
cd ..
find . -type f -name '*.ps' -exec gzip -9 {} \;
@ -89,134 +81,34 @@ rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
rm -f doc/html/*/WARNINGS
rm -f doc/html/*/images.aux
rm -f doc/html/*/labels.pl
# check for duplicate files and replace them with a link
cd doc/html/api-funcspec
if cmp --quiet api-funcspec.html index.html ; then
rm -f index.html
ln -s api-funcspec.html index.html
fi
cd ../library
if cmp --quiet library.html index.html ; then
rm -f index.html
ln -s library.html index.html
fi
cd ../api-server-design
if cmp --quiet api-server-design.html index.html ; then
rm -f index.html
ln -s api-server-design.html index.html
fi
cd ../adb-unit-test
if cmp --quiet adb-unit-test.html index.html ; then
rm -f index.html
ln -s adb-unit-test.html index.html
fi
cd ../api-unit-test
if cmp --quiet api-unit-test.html index.html ; then
rm -f index.html
ln -s api-unit-test.html index.html
fi
cd ../libdes
if cmp --quiet libdes.html index.html ; then
rm -f index.html
ln -s libdes.html index.html
fi
cd ../implement
if cmp --quiet implement.html index.html ; then
rm -f index.html
ln -s implement.html index.html
fi
cd ../..
#rm -f doc/html/*/WARNINGS
#rm -f doc/html/*/images.aux
#rm -f doc/html/*/labels.pl
#### check for duplicate files and replace them with a link
#cd doc/html/library
#if cmp --quiet library.html index.html ; then
# rm -f index.html
# ln -s library.html index.html
#fi
#cd ../libdes
#if cmp --quiet libdes.html index.html ; then
# rm -f index.html
# ln -s libdes.html index.html
#fi
#cd ../implement
#if cmp --quiet implement.html index.html ; then
# rm -f index.html
# ln -s implement.html index.html
#fi
#cd ../..
%clean
rm -rf %{buildroot}
%files
%defattr(-,root,root)
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz doc/kadm5/*.ps.gz
%doc doc/*.ps.gz doc/api/*.ps.gz doc/implement/*.ps.gz
%doc doc/krb5-protocol doc/kadmin
%doc doc/html
%changelog
* Fri Jul 25 2008 mc@suse.de
- add patches from SVN post 1.6.3
* some fixes in the man pages
* Wed Jun 18 2008 mc@suse.de
- reduce rpmlint warnings
* Tue Oct 23 2007 mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Thu Jul 12 2007 mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
* Wed Jun 13 2007 sschober@suse.de
- removed executable permission from doc file
* Mon Apr 23 2007 mc@suse.de
- update to final 1.6.1 version
- replace te_ams with texlive in BuildRequires
* Wed Apr 18 2007 mc@suse.de
- build implementor.ps
* Mon Apr 16 2007 mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
* Mon Feb 19 2007 mc@suse.de
- add krb5-1.6-post.dif
* Mon Jan 22 2007 mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
* Thu Aug 24 2006 mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
* Mon Jul 03 2006 mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
* Mon Mar 13 2006 mc@suse.de
- set BuildArchitectures to noarch
- set norootforbuild
* Wed Jan 25 2006 mls@suse.de
- converted neededforbuild to BuildRequires
* Fri Nov 18 2005 mc@suse.de
- update to version 1.4.3
- fix tex for kadm5 documentation (krb5-1.4.3-kadm5-tex.dif)
* Wed Oct 12 2005 mc@suse.de
- build kadm5 documentation
- build documentation also as html
- include the text only documentation
* Tue Oct 11 2005 mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
* Mon Jun 27 2005 mc@suse.de
- update to version 1.4.1
- remove obsolet patches
- krb5-1.4-VUL-0-telnet.dif
* Thu Feb 10 2005 ro@suse.de
- added libpng to neededforbuild (for tetex)
* Fri Feb 04 2005 mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
action.
* Fri Jan 28 2005 mc@suse.de
- update to version 1.4
* Mon Jan 10 2005 mc@suse.de
- update to version 1.3.6
* Tue Dec 14 2004 mc@suse.de
- initial release

693
krb5-mini.changes Normal file
View File

@ -0,0 +1,693 @@
-------------------------------------------------------------------
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
- update to final 1.7 release
-------------------------------------------------------------------
Wed May 13 11:30:42 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
* Incremental propagation support for the KDC database.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
-------------------------------------------------------------------
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
- update to pre 1.7 version
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto".
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
names.
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
GSS tokens.
* NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation.
* KDC support for principal aliases, if the back end supports them.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Master key rollover support.
-------------------------------------------------------------------
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de
- obsolete also old heimdal-lib-XXbit and heimdal-devel-XXbit
-------------------------------------------------------------------
Thu Dec 11 14:12:57 CET 2008 - mc@suse.de
- do not query IPv6 addresses if no IPv6 address exists on this host
[bnc#449143]
-------------------------------------------------------------------
Wed Dec 10 12:34:56 CET 2008 - olh@suse.de
- use Obsoletes: -XXbit only for ppc64 to help solver during distupgrade
(bnc#437293)
-------------------------------------------------------------------
Thu Oct 30 12:34:56 CET 2008 - olh@suse.de
- obsolete old -XXbit packages (bnc#437293)
-------------------------------------------------------------------
Fri Sep 26 18:13:19 CEST 2008 - mc@suse.de
- in case we use ldap as database backend, ldap should be
started before krb5kdc
-------------------------------------------------------------------
Mon Jul 28 10:43:29 CEST 2008 - mc@suse.de
- add new fixes to post 1.6.3 patch
* fix mem leak in krb5_gss_accept_sec_context()
* keep minor_status
* kadm5_decrypt_key: A ktype of -1 is documented as meaning
"to be ignored"
* Reject socket fds > FD_SETSIZE
-------------------------------------------------------------------
Fri Jul 25 12:13:24 CEST 2008 - mc@suse.de
- add patches from SVN post 1.6.3
* krb5_string_to_keysalts: Fix an infinite loop
* fix some mutex issues
* better recovery from corrupt rcache files
* some more small fixes
-------------------------------------------------------------------
Wed Jun 18 15:30:18 CEST 2008 - mc@suse.de
- add case-insensitive.dif (FATE#300771)
- minor fixes for ktutil man page
- reduce rpmlint warnings
-------------------------------------------------------------------
Wed May 14 17:44:59 CEST 2008 - mc@suse.de
- Fall back to TCP on kdc-unresolvable/unreachable errors.
- restore valid sequence number before generating requests
(fix changing passwords in mixed ipv4/ipv6 enviroments)
-------------------------------------------------------------------
Thu Apr 10 12:54:45 CEST 2008 - ro@suse.de
- added baselibs.conf file to build xxbit packages
for multilib support
-------------------------------------------------------------------
Wed Apr 9 12:04:48 CEST 2008 - mc@suse.de
- modify krb5-config to not output rpath and cflags in --libs
(bnc#378270)
-------------------------------------------------------------------
Fri Mar 14 11:27:55 CET 2008 - mc@suse.de
- fix two security bugs:
* MITKRB5-SA-2008-001(CVE-2008-0062, CVE-2008-0063)
fix double free [bnc#361373]
* MITKRB5-SA-2008-002(CVE-2008-0947, CVE-2008-0948)
Memory corruption while too many open file descriptors
[bnc#363151]
- change default config file. Comment out the examples.
-------------------------------------------------------------------
Fri Dec 14 10:48:52 CET 2007 - mc@suse.de
- fix several security bugs:
* CVE-2007-5894 apparent uninit length
* CVE-2007-5902 integer overflow
* CVE-2007-5971 free of non-heap pointer and double-free
* CVE-2007-5972 double fclose()
[#346745, #346748, #346746, #346749, #346747]
-------------------------------------------------------------------
Tue Dec 4 16:36:07 CET 2007 - mc@suse.de
- improve GSSAPI error messages
-------------------------------------------------------------------
Tue Nov 6 13:53:17 CET 2007 - mc@suse.de
- add coreutils to PreReq
-------------------------------------------------------------------
Tue Oct 23 10:24:25 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Fri Sep 14 12:08:55 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
-------------------------------------------------------------------
Tue Sep 11 15:09:14 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
-------------------------------------------------------------------
Thu Sep 6 10:43:39 CEST 2007 - mc@suse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]
-------------------------------------------------------------------
Wed Sep 5 12:18:21 CEST 2007 - mc@suse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]
-------------------------------------------------------------------
Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
-------------------------------------------------------------------
Thu Jul 12 17:01:28 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Thu Jul 5 18:10:28 CEST 2007 - mc@suse.de
- change requires to libcom_err-devel
-------------------------------------------------------------------
Mon Jul 2 11:26:47 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
-------------------------------------------------------------------
Thu Jun 14 17:44:12 CEST 2007 - mc@suse.de
- fix unstripped-binary-or-object rpmlint warning
-------------------------------------------------------------------
Mon Jun 11 18:04:23 CEST 2007 - sschober@suse.de
- fixing rpmlint warnings and errors:
* merged logrotate scripts kadmin and krb5kdc into a single file
krb5-server.
* moved heimdal2mit-DumpConvert.pl and simple_convert_krb5conf.pl
from /usr/share/doc/packages/krb5 to /usr/lib/mit/helper.
adapted krb5.spec and README.ConvertHeimdalMIT accordingly.
* added surpression filter for
"devel-file-in-non-devel-package /usr/lib/libgssapi_krb5.so"
(see [#147912]).
* set default runlevel of init scripts in chkconfig line to 3 and
5
-------------------------------------------------------------------
Wed May 9 15:30:53 CEST 2007 - mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file
-------------------------------------------------------------------
Thu May 3 12:11:29 CEST 2007 - mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
-------------------------------------------------------------------
Mon Apr 23 11:15:10 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
-------------------------------------------------------------------
Wed Apr 18 14:48:03 CEST 2007 - mc@suse.de
- add plugin directories to main package
-------------------------------------------------------------------
Mon Apr 16 14:38:08 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
-------------------------------------------------------------------
Wed Apr 11 10:58:09 CEST 2007 - mc@suse.de
- update krb5-1.6-post.dif
* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]
* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]
* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
#247765
-------------------------------------------------------------------
Thu Mar 29 12:41:57 CEST 2007 - mc@suse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches
-------------------------------------------------------------------
Mon Mar 5 11:01:20 CET 2007 - mc@suse.de
- move SuSEFirewall service definitions to
/etc/sysconfig/SuSEfirewall2.d/services
-------------------------------------------------------------------
Thu Feb 22 11:13:48 CET 2007 - mc@suse.de
- add firewall definition to krb5-server, FATE #300687
-------------------------------------------------------------------
Mon Feb 19 13:59:43 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
- move some applications into the right package
-------------------------------------------------------------------
Fri Feb 9 13:31:22 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 29 11:27:23 CET 2007 - mc@suse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
-------------------------------------------------------------------
Tue Jan 23 17:21:12 CET 2007 - mc@suse.de
- fix "local variable used before set" in ftp.c
[#237684]
-------------------------------------------------------------------
Mon Jan 22 16:39:27 CET 2007 - mc@suse.de
- krb5-devel should require keyutils-devel
-------------------------------------------------------------------
Mon Jan 22 12:19:49 CET 2007 - mc@suse.de
- update to version 1.6
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.
- remove obsolete patches
-------------------------------------------------------------------
Wed Jan 10 11:16:30 CET 2007 - mc@suse.de
- fix for
kadmind (via RPC library) calls uninitialized function pointer
(CVE-2006-6143)(Bug #225990)
krb5-1.5-MITKRB5-SA-2006-002-fix-code-exec.dif
- fix for
kadmind (via GSS-API mechglue) frees uninitialized pointers
(CVE-2006-6144)(Bug #225992)
krb5-1.5-MITKRB5-SA-2006-003-fix-free-of-uninitialized-pointer.dif
-------------------------------------------------------------------
Tue Jan 2 14:53:33 CET 2007 - mc@suse.de
- Fix Requires in krb5-devel
[Bug #231008]
-------------------------------------------------------------------
Mon Nov 6 11:49:39 CET 2006 - mc@suse.de
- fix "local variable used before set" [#217692]
- fix strncat warning
-------------------------------------------------------------------
Fri Oct 27 17:34:30 CEST 2006 - mc@suse.de
- add a default kadm5.dict file
- require $network on daemon start
-------------------------------------------------------------------
Wed Sep 13 10:39:41 CEST 2006 - mc@suse.de
- fix function call with too few arguments [#203837]
-------------------------------------------------------------------
Thu Aug 24 12:52:25 CEST 2006 - mc@suse.de
- update to version 1.5.1
- remove obsolete patches which are now included upstream
* krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
* trunk-fix-uninitialized-vars.dif
-------------------------------------------------------------------
Fri Aug 11 14:29:27 CEST 2006 - mc@suse.de
- krb5 setuid return check fixes
krb5-1.4.3-MITKRB5-SA-2006-001-setuid-return-checks.dif
[#182351]
-------------------------------------------------------------------
Mon Aug 7 15:54:26 CEST 2006 - mc@suse.de
- remove update-messages
-------------------------------------------------------------------
Mon Jul 24 15:45:14 CEST 2006 - mc@suse.de
- add check for krb5_prop in services to kpropd init script.
[#192446]
-------------------------------------------------------------------
Mon Jul 3 14:59:35 CEST 2006 - mc@suse.de
- update to version 1.5
* KDB abstraction layer, donated by Novell.
* plug-in architecture, allowing for extension modules to be
loaded at run-time.
* multi-mechanism GSS-API implementation ("mechglue"),
donated by Sun Microsystems
* Simple and Protected GSS-API negotiation mechanism ("SPNEGO")
implementation, donated by Sun Microsystems
- remove obsolete patches and add some new
-------------------------------------------------------------------
Fri May 26 14:50:00 CEST 2006 - ro@suse.de
- libcom is not in e2fsck-devel but in its own package now, change
Requires accordingly.
-------------------------------------------------------------------
Mon Mar 27 14:10:02 CEST 2006 - mc@suse.de
- add all daemons to %stop_on_removal and %restart_on_update
- add reload to kpropd init script
- add force-reload to all init scripts
-------------------------------------------------------------------
Mon Mar 13 18:20:36 CET 2006 - mc@suse.de
- add libgssapi_krb5.so link to main package [#147912]
-------------------------------------------------------------------
Fri Feb 3 18:17:01 CET 2006 - mc@suse.de
- fix logging section for kadmind in convert script
-------------------------------------------------------------------
Wed Jan 25 21:30:24 CET 2006 - mls@suse.de
- converted neededforbuild to BuildRequires
-------------------------------------------------------------------
Fri Jan 13 14:44:24 CET 2006 - mc@suse.de
- change the logging defaults
-------------------------------------------------------------------
Wed Jan 11 12:59:08 CET 2006 - mc@suse.de
- add tools and README for heimdal => MIT update
-------------------------------------------------------------------
Mon Jan 9 14:41:07 CET 2006 - mc@suse.de
- fix build problems, define _GNU_SOURCE
(krb5-1.4.3-set_gnu_source.dif )
-------------------------------------------------------------------
Tue Jan 3 16:00:13 CET 2006 - mc@suse.de
- added "make %{?jobs:-j%jobs}"
-------------------------------------------------------------------
Fri Nov 18 12:12:01 CET 2005 - mc@suse.de
- update to version 1.4.3
* some memmory leaks fixed
* fix for "AS_REP padata has wrong enctype"
* fix for "AS_REP padata missing PA-ETYPE-INFO"
* ... and more
-------------------------------------------------------------------
Wed Nov 2 21:23:32 CET 2005 - dmueller@suse.de
- don't build as root
-------------------------------------------------------------------
Tue Oct 11 17:39:23 CEST 2005 - mc@suse.de
- update to version 1.4.2
- remove some obsolet patches
-------------------------------------------------------------------
Mon Aug 8 16:07:51 CEST 2005 - mc@suse.de
- build with --disable-static
-------------------------------------------------------------------
Thu Aug 4 16:47:43 CEST 2005 - ro@suse.de
- remove devel-static subpackage
-------------------------------------------------------------------
Thu Jun 30 10:12:30 CEST 2005 - mc@suse.de
- better patch for princ_comp problem
-------------------------------------------------------------------
Mon Jun 27 13:34:50 CEST 2005 - mc@suse.de
- update to version 1.4.1
- remove obsolet patches
- krb5-1.4-gcc4.dif
- krb5-1.4-reduce-namespace-polution.dif
- krb5-1.4-VUL-0-telnet.dif
-------------------------------------------------------------------
Thu Jun 23 10:12:54 CEST 2005 - mc@suse.de
- fixed krb5 KDC heap corruption by random free
[#80574, CAN-2005-1174, MITKRB5-SA-2005-002]
- fixed krb5 double free()
[#86768, CAN-2005-1689, MITKRB5-SA-2005-003]
- fix krb5 NULL pointer reference while comparing principals
[#91600]
-------------------------------------------------------------------
Fri Jun 17 17:18:19 CEST 2005 - mc@suse.de
- fix uninitialized variables
- compile with -fPIE/ link with -pie
-------------------------------------------------------------------
Wed Apr 20 15:36:16 CEST 2005 - mc@suse.de
- fixed wrong xinetd files [#77149]
-------------------------------------------------------------------
Fri Apr 8 04:55:55 CEST 2005 - mt@suse.de
- removed krb5-1.4-fix-error_tables.dif patch obsoleted
by libcom_err locking patches
-------------------------------------------------------------------
Thu Apr 7 13:49:37 CEST 2005 - mc@suse.de
- fixed missing descriptions in init files
[#76164, #76165, #76166, #76169]
-------------------------------------------------------------------
Wed Mar 30 18:11:38 CEST 2005 - mc@suse.de
- enhance $PATH via /etc/profile.d/ [#74018]
- remove the "links to important programs"
-------------------------------------------------------------------
Fri Mar 18 11:09:43 CET 2005 - mc@suse.de
- fixed not running converter script [#72854]
-------------------------------------------------------------------
Thu Mar 17 14:15:17 CET 2005 - mc@suse.de
- Fix CAN-2005-0469: Multiple Telnet Client slc_add_reply() Buffer
Overflow
- Fix CAN-2005-0468: Multiple Telnet Client env_opt_add() Buffer
Overflow
[#73618]
-------------------------------------------------------------------
Wed Mar 16 13:10:18 CET 2005 - mc@suse.de
- fixed wrong PreReqs [#73020]
-------------------------------------------------------------------
Tue Mar 15 19:54:58 CET 2005 - mc@suse.de
- add a simple krb5.conf converter [#72854]
-------------------------------------------------------------------
Mon Mar 14 17:08:59 CET 2005 - mc@suse.de
- fixed: rckrb5kdc restart gives wrong status with non-running service
[#72446]
-------------------------------------------------------------------
Thu Mar 10 10:48:07 CET 2005 - mc@suse.de
- add requires: e2fsprogs-devel to krb5-devel package [#71732]
-------------------------------------------------------------------
Fri Feb 25 17:35:37 CET 2005 - mc@suse.de
- fix double free [#66534]
krb5-1.4-fix-error_tables.dif
-------------------------------------------------------------------
Fri Feb 11 14:01:32 CET 2005 - mc@suse.de
- change mode for shared libraries to 755
-------------------------------------------------------------------
Fri Feb 4 16:48:16 CET 2005 - mc@suse.de
- remove spx.c from tarball because of legal risk
- add README.Source which tell the user about this
action.
- add a check for spx.c in the spec-file
- use rich-text for update-messages [#50250]
-------------------------------------------------------------------
Tue Feb 1 12:13:45 CET 2005 - mc@suse.de
- add krb5-1.4-reduce-namespace-polution.dif
reduce namespace polution in gssapi.h [#50356]
-------------------------------------------------------------------
Fri Jan 28 13:25:42 CET 2005 - mc@suse.de
- update to version 1.4
- Add implementation of the RPCSEC_GSS authentication flavor to the
RPC library.
- Thread safety for krb5 libraries.
- Merged Athena telnetd changes for creating a new option for
requiring encryption.
- The kadmind4 backwards-compatibility admin server and the v5passwdd
backwards-compatibility password-changing server have been removed.
- Yarrow code now uses AES.
- Merged Athena changes to allow ftpd to require encrypted passwords.
- Incorporate gss_krb5_set_allowable_enctypes() and
gss_krb5_export_lucid_sec_context(), which are needed for NFSv4.
- remove obsolet patches
-------------------------------------------------------------------
Mon Jan 17 11:34:52 CET 2005 - mc@suse.de
- add proofreaded update-messages
-------------------------------------------------------------------
Fri Jan 14 14:38:25 CET 2005 - mc@suse.de
- remove Conflicts: and add Provides:
- add some insserv stuff
-------------------------------------------------------------------
Thu Jan 13 11:54:01 CET 2005 - mc@suse.de
- move vendor files to vendor-files.tar.bz2
- add obsoletes: heimdal
- add %pre and %post sections to detect update
from heimdal and backup invalid configuration files
- add update-messages for heimdal update
-------------------------------------------------------------------
Mon Jan 10 12:18:02 CET 2005 - mc@suse.de
- update to version 1.3.6
- fix for: heap buffer overflow in libkadm5srv
[CAN-2004-1189 / MITKRB5-SA-2004-004]
-------------------------------------------------------------------
Tue Dec 14 15:30:23 CET 2004 - mc@suse.de
- build doc subpackage in an own specfile
- removed unnecessary neededforbuild requirements
-------------------------------------------------------------------
Wed Nov 24 13:37:53 CET 2004 - coolo@suse.de
- fix build with gcc 4
-------------------------------------------------------------------
Mon Nov 15 17:25:56 CET 2004 - mc@suse.de
- added Conflicts with heimdal*
- rename some manpages to avoid conflicts
-------------------------------------------------------------------
Thu Nov 4 18:03:11 CET 2004 - mc@suse.de
- new init scripts
- fix logrotate scripts
- add some 64Bit fixes
- add default krb5.conf, kdc.conf and kadm5.acl
-------------------------------------------------------------------
Wed Nov 3 18:52:07 CET 2004 - mc@suse.de
- add e2fsprogs to NFB
- use system-et and system-ss
- fix includes of com_err.h
-------------------------------------------------------------------
Thu Oct 28 17:58:41 CEST 2004 - mc@suse.de
- Initital checkin

686
krb5-mini.spec Normal file
View File

@ -0,0 +1,686 @@
#
# spec file for package krb5-mini (Version 1.7)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
%define build_mini 1
%define srcRoot krb5-1.7
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Name: krb5-mini
License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel
Version: 1.7
Release: 4
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-64bit
%endif
#
Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security
%else
Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security
%endif
Source: krb5-1.7.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source5: krb5-%{version}-rpmlintrc
Source10: krb5-1.7-manpaths.txt
Patch2: krb5-1.6.1-compile_pie.dif
Patch20: krb5-1.6.3-kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
Patch30: krb5-1.7-manpaths.dif
Patch32: krb5-1.4.3-enospc.dif
Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch41: krb5-1.6.3-kpasswd_tcp.patch
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%if ! %{build_mini}
%package client
License: MIT License (or similar)
Summary: MIT Kerberos5 implementation - client programs
Group: Productivity/Networking/Security
%description client
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some required
client programs, like kinit, kadmin, ...
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package server
License: MIT License (or similar)
Summary: MIT Kerberos5 implementation - server
Group: Productivity/Networking/Security
Requires: perl-Date-Calc
Requires: logrotate cron
PreReq: %insserv_prereq %fillup_prereq
%description server
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes the kdc, kadmind
and more.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-servers
License: MIT License (or similar)
Summary: MIT Kerberos5 server applications
Group: Productivity/Networking/Security
%description apps-servers
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible server applications like ftpd, klogind, telnetd, ...
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-clients
License: MIT License (or similar)
Summary: MIT Kerberos5 client applications
Group: Productivity/Networking/Security
%description apps-clients
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible client applications like ftp, rpc, rlogin, telnet, ...
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package plugin-kdb-ldap
License: MIT License (or similar)
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
Group: Productivity/Networking/Security
Requires: krb5-server = %{version}
%description plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package plugin-preauth-pkinit
License: MIT License (or similar)
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
%description plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%endif #! build_mini
%package devel
License: MIT License (or similar)
Summary: MIT Kerberos5 - Include Files and Libraries
Group: Development/Libraries/C and C++
PreReq: %{name} = %{version}
Requires: libcom_err-devel
Requires: keyutils-devel
# bug437293
%ifarch ppc64
Obsoletes: krb5-devel-64bit
%endif
%if %{build_mini}
Provides: krb5-devel = %{version}
%endif
#
%description devel
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes Libraries and
Include Files for Development
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ]
then
echo "spx.c contains potential legal risks."
exit 1;
else
cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c
fi
%patch2
%patch20
%patch21
%patch22
%patch30 -p1
%patch32 -p1
%patch34 -p1
%patch41
%patch44 -p1
%patch46 -p1
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
cd src
%{?suse_update_config:%{suse_update_config -f}}
./util/reconf
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -fno-strict-aliasing -D_GNU_SOURCE -fPIC " \
./configure \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--disable-rpath \
%if ! %{build_mini}
--with-ldap \
%else
--disable-pkinit \
%endif
--with-system-et \
--with-system-ss
make %{?jobs:-j%jobs}
%install
cd src
make DESTDIR=%{buildroot} install
cd ..
# Munge the krb5-config script to remove rpaths and CFLAGS.
sed "s|^CC_LINK=.*|CC_LINK='\$(CC) \$(PROG_LIBPATH)'|g" src/krb5-config > $RPM_BUILD_ROOT/usr/lib/mit/bin/krb5-config
# install sample config files
# I'll probably do something about this later on
mkdir -p %{buildroot}%{_sysconfdir} %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc
mkdir -p %{buildroot}%{_sysconfdir}
mkdir -p %{buildroot}/etc/profile.d/
mkdir -p %{buildroot}/var/log/krb5
mkdir -p %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/
# create plugin directories
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/libkrb5
install -m 644 %{vendorFiles}/krb5.conf %{buildroot}%{_sysconfdir}
install -m 600 %{vendorFiles}/kdc.conf %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.acl %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 600 %{vendorFiles}/kadm5.dict %{buildroot}%{_localstatedir}/lib/kerberos/krb5kdc/
install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.csh
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
for n in ftpd.8 telnetd.8; do
mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n}
done
for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do
mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n}
done
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
# and binaries too
chmod 0755 %{buildroot}/usr/lib/mit/bin/ksu
# install init scripts
mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
# install xinetd files
mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d
install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin
install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin
install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet
install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
find . -type f -name '*.ps' -exec gzip -9 {} \;
# create rc* links
mkdir -p %{buildroot}/usr/bin/
ln -sf ../../etc/init.d/kadmind %{buildroot}/usr/bin/rckadmind
ln -sf ../../etc/init.d/krb5kdc %{buildroot}/usr/bin/rckrb5kdc
ln -sf ../../etc/init.d/kpropd %{buildroot}/usr/bin/rckpropd
# create links for kinit and klist, because of the java ones
ln -sf ../../usr/lib/mit/bin/kinit %{buildroot}/usr/bin/kinit
ln -sf ../../usr/lib/mit/bin/klist %{buildroot}/usr/bin/klist
# install doc
install -d -m 755 %{buildroot}/%{krb5docdir}
install -m 644 %{_builddir}/%{srcRoot}/README %{buildroot}/%{krb5docdir}/README
%if ! %{build_mini}
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
%endif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#####################################################
# krb5-mini-devel pre/post/postun
#####################################################
%if %{build_mini}
%preun
%stop_on_removal krb5kdc kadmind kpropd
%postun
/sbin/ldconfig
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
%post -p /sbin/ldconfig
%else
#####################################################
# krb5 pre/post/postun
#####################################################
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
%preun server
#####################################################
# krb5-server preun/postun
#####################################################
%stop_on_removal krb5kdc kadmind kpropd
%postun server
%restart_on_update krb5kdc kadmind kpropd
%{insserv_cleanup}
#####################################################
# krb5-plugin-kdb-ldap post/postun
#####################################################
%post plugin-kdb-ldap -p /sbin/ldconfig
%postun plugin-kdb-ldap -p /sbin/ldconfig
%endif
%clean
rm -rf %{buildroot}
########################################################
# files sections
########################################################
%files devel
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
%{_libdir}/libkrb5support.so
%{_includedir}/*
/usr/lib/mit/bin/krb5-config
/usr/lib/mit/sbin/krb5-send-pr
%{_mandir}/man1/krb5-send-pr.1*
%{_mandir}/man1/krb5-config.1*
%if %{build_mini}
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%attr(0700,root,root) %dir /var/log/krb5
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir /usr/lib/mit/bin
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_sysconfdir}/init.d/*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/krb5/plugins/kdb/*
%{_libdir}/krb5/plugins/preauth/*
#/usr/lib/mit/sbin/*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
#/usr/lib/mit/bin/*
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rc*
#%{_mandir}/man1/*
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man5/*
%{_mandir}/man5/.k5login.5.gz
%{_mandir}/man8/*
%else
%files
%defattr(-,root,root)
%dir %{krb5docdir}
# add plugin directories
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir %{_libdir}/krb5/plugins/preauth
%dir %{_libdir}/krb5/plugins/libkrb5
# add log directory
%attr(0700,root,root) %dir /var/log/krb5
%doc %{krb5docdir}/README
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/krb5.conf
%attr(0644,root,root) %config /etc/profile.d/krb5*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
%{_libdir}/krb5/plugins/preauth/encrypted_challenge.so
%files server
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/logrotate.d/krb5-server
%{_sysconfdir}/init.d/kadmind
%{_sysconfdir}/init.d/krb5kdc
%{_sysconfdir}/init.d/kpropd
%dir %{krb5docdir}
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
%dir %{_localstatedir}/lib/kerberos/
%dir %{_localstatedir}/lib/kerberos/krb5kdc
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
/usr/bin/rc*
/usr/lib/mit/sbin/kadmin.local
/usr/lib/mit/sbin/kadmind
/usr/lib/mit/sbin/kpropd
/usr/lib/mit/sbin/kproplog
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/kadmind.8*
%{_mandir}/man8/kadmin.local.8*
%{_mandir}/man8/kpropd.8*
%{_mandir}/man8/kprop.8*
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%files client
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
%dir /usr/lib/mit/sbin
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
/usr/lib/mit/bin/kdestroy
/usr/lib/mit/bin/kpasswd
/usr/lib/mit/bin/klist
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
%{_mandir}/man1/kinit.1*
%{_mandir}/man1/kdestroy.1*
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%files apps-servers
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
%{_mandir}/man8/kftpd.8*
%{_mandir}/man8/klogind.8*
%{_mandir}/man8/kshd.8*
%{_mandir}/man8/ktelnetd.8*
%{_mandir}/man8/sserver.8*
%{_mandir}/man8/login.krb5.8*
%files apps-clients
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
# removed SUID bit, we will rely on su + pam_krb
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%files plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/kldap.so
/usr/lib/mit/sbin/kdb5_ldap_util
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/kdb5_ldap_util.8*
%files plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%endif #build_mini
%changelog

2
krb5-plugins-1.6.3-rpmlintrc
View File

@ -1,2 +0,0 @@
addFilter("devel-file-in-non-devel-package .*libkdb_ldap.so")
addFilter("shlib-policy-missing-suffix")

177
krb5-plugins.changes
View File

@ -1,177 +0,0 @@
-------------------------------------------------------------------
Fri Jul 25 12:17:44 CEST 2008 - mc@suse.de
- add patches from SVN post 1.6.3
* krb5_string_to_keysalts: Fix an infinite loop
* fix some mutex issues
* better recovery from corrupt rcache files
* some more small fixes
-------------------------------------------------------------------
Wed Jun 18 15:33:18 CEST 2008 - mc@suse.de
- reduce rpmlint warnings
-------------------------------------------------------------------
Tue Dec 4 16:36:43 CET 2007 - mc@suse.de
- improve GSSAPI error messages
-------------------------------------------------------------------
Tue Oct 23 10:29:14 CEST 2007 - mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
-------------------------------------------------------------------
Fri Sep 14 12:10:01 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
-------------------------------------------------------------------
Tue Sep 11 15:11:34 CEST 2007 - mc@suse.de
- update krb5-1.6.2-post.dif
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
-------------------------------------------------------------------
Thu Sep 6 10:43:50 CEST 2007 - mc@suse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]
-------------------------------------------------------------------
Wed Sep 5 12:18:38 CEST 2007 - mc@suse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]
-------------------------------------------------------------------
Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
-------------------------------------------------------------------
Thu Jul 12 17:02:19 CEST 2007 - mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
-------------------------------------------------------------------
Mon Jul 2 11:39:54 CEST 2007 - mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
-------------------------------------------------------------------
Wed May 9 15:31:08 CEST 2007 - mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file
-------------------------------------------------------------------
Thu May 3 12:13:35 CEST 2007 - mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
-------------------------------------------------------------------
Mon Apr 23 11:17:04 CEST 2007 - mc@suse.de
- update to final 1.6.1 version
-------------------------------------------------------------------
Mon Apr 16 14:39:58 CEST 2007 - mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
-------------------------------------------------------------------
Wed Apr 11 10:59:20 CEST 2007 - mc@suse.de
- update krb5-1.6-post.dif
* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]
* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]
* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
#247765
-------------------------------------------------------------------
Thu Mar 29 12:42:51 CEST 2007 - mc@suse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches
-------------------------------------------------------------------
Mon Feb 19 14:00:34 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
-------------------------------------------------------------------
Fri Feb 9 13:31:54 CET 2007 - mc@suse.de
- update krb5-1.6-post.dif
-------------------------------------------------------------------
Mon Jan 29 17:47:22 CET 2007 - ro@suse.de
- no main package, no debuginfo
-------------------------------------------------------------------
Mon Jan 29 11:30:35 CET 2007 - mc@suse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
-------------------------------------------------------------------
Tue Jan 23 17:21:53 CET 2007 - mc@suse.de
- fix "local variable used before set" in ftp.c
[#237684]
- use less BuildRequires
-------------------------------------------------------------------
Mon Jan 22 12:21:41 CET 2007 - mc@suse.de
- initial release (version 1.6)
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.

392
krb5-plugins.spec
View File

@ -1,392 +0,0 @@
#
# spec file for package krb5-plugins (Version 1.6.3)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
# norootforbuild
# nodebuginfo
Name: krb5-plugins
Version: 1.6.3
Release: 16
BuildRequires: bison krb5-devel ncurses-devel openldap2-devel
%define srcRoot krb5-1.6.3
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
Requires: krb5-server
Summary: MIT Kerberos5 Implementation--Libraries
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
Source: krb5-1.6.3.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: EncryptWithMasterKey.c
Source5: %{name}-%{version}-rpmlintrc
Source10: krb5-trunk-manpaths.txt
Patch1: krb5-1.5.1-fix-too-few-arguments.dif
Patch2: krb5-1.6.1-compile_pie.dif
Patch3: krb5-1.4-fix-segfault.dif
Patch6: trunk-EncryptWithMasterKey.dif
Patch14: warning-fix-lib-crypto-des.dif
Patch15: warning-fix-lib-crypto-dk.dif
Patch16: warning-fix-lib-crypto.dif
Patch17: warning-fix-lib-crypto-enc_provider.dif
Patch18: warning-fix-lib-crypto-yarrow_arcfour.dif
Patch20: kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
Patch24: krb5-1.5.1-fix-strncat-warning.dif
Patch25: krb5-1.6.1-init-salt-length.dif
Patch30: trunk-manpaths.dif
Patch31: krb5-1.6-ldap-man.dif
Patch32: krb5-1.4.3-enospc.dif
Patch33: krb5-1.3.3-rcp-markus.dif
Patch34: gssapi_improve_errormessages.dif
Patch35: krb5-1.6-fix-CVE-2007-5894.dif
Patch36: krb5-1.6-fix-CVE-2007-5902.dif
Patch37: krb5-1.6-fix-CVE-2007-5971.dif
Patch38: krb5-1.6-fix-CVE-2007-5972.dif
Patch39: krb5-1.6-MITKRB5-SA-2008-001.dif
Patch40: krb5-1.6-MITKRB5-SA-2008-002.dif
Patch41: krb5-trunk-kpasswd_tcp.patch
Patch42: krb5-trunk-seqnum.patch
Patch43: krb5-1.6.3-case-insensitive.dif
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch45: krb5-1.6.3-post.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package -n krb5-plugin-kdb-ldap
Requires: krb5-server = %{version}
Summary: MIT Kerberos5 Implementation--LDAP Database Plugin
License: X11/MIT
Url: http://web.mit.edu/kerberos/www/
Group: Productivity/Networking/Security
%description -n krb5-plugin-kdb-ldap
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of clear text passwords. This package contains the LDAP
database plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package -n krb5-plugin-preauth-pkinit
License: X11/MIT
Summary: MIT Kerberos5 Implementation--PKINIT preauth Plugin
Group: Productivity/Networking/Security
Conflicts: krb5-plugin-preauth-pkinit-nss
%description -n krb5-plugin-preauth-pkinit
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes a PKINIT plugin.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ]
then
echo "spx.c contains potential legal risks."
exit 1;
else
cp %{_sourcedir}/spx.c %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c
fi
%patch1
%patch2
%patch3
%patch6
%patch14
%patch15
%patch16
%patch17
%patch18
%patch20
%patch21
%patch22
%patch24
%patch25
%patch30 -p1
%patch31
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35
%patch36
%patch37
%patch38
%patch39 -p1
%patch40
%patch41
%patch42
%patch43
%patch44 -p1
%patch45
%patch46 -p1
cp %{_sourcedir}/EncryptWithMasterKey.c %{_builddir}/%{srcRoot}/src/kadmin/dbutil/EncryptWithMasterKey.c
# Rename the man pages so that they'll get generated correctly.
pushd src
cat $RPM_SOURCE_DIR/krb5-trunk-manpaths.txt | while read manpage ; do
mv "$manpage" "$manpage".in
done
popd
%build
cd src
%{?suse_update_config:%{suse_update_config -f}}
./util/reconf
CFLAGS="$RPM_OPT_FLAGS -I/usr/include/et -I/usr/include -I%{_builddir}/%{srcRoot}/src/lib/ -fno-strict-aliasing -D_GNU_SOURCE -D__CI_PRINC__ -fPIC " \
./configure \
--prefix=/usr/lib/mit \
--sysconfdir=%{_sysconfdir} \
--mandir=%{_mandir} \
--infodir=%{_infodir} \
--libexecdir=/usr/lib/mit/sbin \
--libdir=%{_libdir} \
--includedir=%{_includedir} \
--localstatedir=%{_localstatedir}/lib/kerberos \
--enable-shared \
--disable-static \
--enable-kdc-replay-cache \
--enable-dns-for-realm \
--with-ldap \
--with-system-et \
--with-system-ss
cd util/profile
make install-headers-unix
cd ../../include
make
cd ../lib/kadm5
make includes
cd ../gssapi/generic
make gssapi-include
ln -s %{_libdir}/libgssrpc.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libgssapi_krb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libk5crypto.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb5support.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkadm5srv.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkdb5.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libkrb4.so %{_builddir}/%{srcRoot}/src/lib/
ln -s %{_libdir}/libdes425.so %{_builddir}/%{srcRoot}/src/lib/
cd ../../../kadmin/cli
make getdate.o
cd ../../plugins/kdb/ldap/
make %{?jobs:-j%jobs}
cd ../../preauth/pkinit/
make %{?jobs:-j%jobs}
#make check
%install
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/kdb
mkdir -p %{buildroot}/%{_libdir}/krb5/plugins/preauth
mkdir -p %{buildroot}/%{krb5docdir}
mkdir -p %{buildroot}/usr/lib/mit/sbin/
mkdir -p %{buildroot}/%{_mandir}/man8/
cd src/plugins/kdb/ldap/
make DESTDIR=%{buildroot} install
cd ../../preauth/pkinit/
make DESTDIR=%{buildroot} install
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
chmod 0755 ${lib}
done
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema %{buildroot}/%{krb5docdir}/kerberos.schema
install -m 644 %{_builddir}/%{srcRoot}/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %{buildroot}/%{krb5docdir}/kerberos.ldif
# cleanup
rm -f %{buildroot}/usr/share/man/man1/tmac.doc*
rm -f /usr/share/man/man1/tmac.doc*
rm -rf /usr/lib/mit/share
rm -rf %{buildroot}/usr/lib/mit/share
#####################################################
# krb5 pre/post/postun
#####################################################
%post -n krb5-plugin-kdb-ldap
/sbin/ldconfig
%postun -n krb5-plugin-kdb-ldap
/sbin/ldconfig
%clean
rm -rf %{buildroot}
########################################################
# files sections
########################################################
%files -n krb5-plugin-kdb-ldap
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/kdb
%dir /usr/lib/mit/sbin/
%dir %{krb5docdir}
%doc %{krb5docdir}/kerberos.schema
%doc %{krb5docdir}/kerberos.ldif
%{_libdir}/krb5/plugins/kdb/*.so
/usr/lib/mit/sbin/*
%{_libdir}/libkdb_ldap*
%{_mandir}/man8/*
%files -n krb5-plugin-preauth-pkinit
%defattr(-,root,root)
%dir %{_libdir}/krb5
%dir %{_libdir}/krb5/plugins
%dir %{_libdir}/krb5/plugins/preauth
%{_libdir}/krb5/plugins/preauth/pkinit.so
%changelog
* Fri Jul 25 2008 mc@suse.de
- add patches from SVN post 1.6.3
* krb5_string_to_keysalts: Fix an infinite loop
* fix some mutex issues
* better recovery from corrupt rcache files
* some more small fixes
* Wed Jun 18 2008 mc@suse.de
- reduce rpmlint warnings
* Tue Dec 04 2007 mc@suse.de
- improve GSSAPI error messages
* Tue Oct 23 2007 mc@suse.de
- update to krb5 version 1.6.3
* fix CVE-2007-3999, CVE-2007-4743 svc_auth_gss.c buffer overflow
* fix CVE-2007-4000 modify_policy vulnerability
* Add PKINIT support
- remove patches which are upstream now
- enhance init scripts and xinetd profiles
* Fri Sep 14 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* If a KDC returns KDC_ERR_SVC_UNAVAILABLE, it appears that
that the client library will not failover to the next KDC.
[#310540]
* Tue Sep 11 2007 mc@suse.de
- update krb5-1.6.2-post.dif
* new -S sname option for kvno
* read_entropy_from_device on partial read will not fill buffer
* Bail out if encoded "ticket" doesn't decode correctly.
* patch for referrals loop
* Thu Sep 06 2007 mc@suse.de
- fix a problem with the originally published patch
for MITKRB5-SA-2007-006 - CVE-2007-3999
[#302377]
* Wed Sep 05 2007 mc@suse.de
- fix execute arbitrary code
(MITKRB5-SA-2007-006 - CVE-2007-3999,2007-4000)
[#302377]
* Tue Aug 07 2007 mc@suse.de
- add krb5-1.6.2-post.dif
* during the referrals loop, check to see if the
session key enctype of a returned credential for the final
service is among the enctypes explicitly selected by the
application, and retry with old_use_conf_ktypes if it is not.
* If mkstemp() is available, the new ccache file gets created but
the subsequent open(O_CREAT|O_EXCL) call fails because the file
was already created by mkstemp(). Apply patch from Apple to keep
the file descriptor open.
* Thu Jul 12 2007 mc@suse.de
- update to version 1.6.2
- remove krb5-1.6.1-post.dif all fixes are included in this release
* Mon Jul 02 2007 mc@suse.de
- update krb5-1.6.1-post.dif
* fix leak in krb5_walk_realm_tree
* rd_req_decoded needs to deal with referral realms
* fix buffer overflow in kadmind
(MITKRB5-SA-2007-005 - CVE-2007-2798)
[#278689]
* fix kadmind code execution bug
(MITKRB5-SA-2007-004 - CVE-2007-2442 - CVE-2007-2443)
[#271191]
* Wed May 09 2007 mc@suse.de
- fix uninitialized salt length
- add extra check for keytab file
* Thu May 03 2007 mc@suse.de
- adding krb5-1.6.1-post.dif
* fix segfault in krb5_get_init_creds_password
* remove debug output in ftp client
* profile stores empty string values without double quotes
* Mon Apr 23 2007 mc@suse.de
- update to final 1.6.1 version
* Mon Apr 16 2007 mc@suse.de
- update to version 1.6.1 Beta1
- remove obsolete patches
(krb5-1.6-post.dif, krb5-1.6-patchlevel.dif)
- rework compile_pie patch
* Wed Apr 11 2007 mc@suse.de
- update krb5-1.6-post.dif
* fix kadmind stack overflow in krb5_klog_syslog
(MITKRB5-SA-2007-002 - CVE-2007-0957)
[#253548]
* fix double free attack in the RPC library
(MITKRB5-SA-2007-003 - CVE-2007-1216)
[#252487]
* fix krb5 telnetd login injection
(MIT-SA-2007-001 - CVE-2007-0956)
[#247765]
* Thu Mar 29 2007 mc@suse.de
- add ncurses-devel and bison to BuildRequires
- rework some patches
* Mon Feb 19 2007 mc@suse.de
- update krb5-1.6-post.dif
* Fri Feb 09 2007 mc@suse.de
- update krb5-1.6-post.dif
* Mon Jan 29 2007 ro@suse.de
- no main package, no debuginfo
* Mon Jan 29 2007 mc@suse.de
- krb5-1.6-fix-passwd-tcp.dif and krb5-1.6-fix-sendto_kdc-memset.dif
are now upstream. Remove patches.
- fix leak in krb5_kt_resolve and krb5_kt_wresolve
* Tue Jan 23 2007 mc@suse.de
- fix "local variable used before set" in ftp.c
[#237684]
- use less BuildRequires
* Mon Jan 22 2007 mc@suse.de
- initial release (version 1.6)
* Major changes in 1.6 include
* Partial client implementation to handle server name referrals.
* Pre-authentication plug-in framework, donated by Red Hat.
* LDAP KDB plug-in, donated by Novell.

49
krb5-trunk-seqnum.patch
View File

@ -1,49 +0,0 @@
Every KRB-PRIV message we generate to include as part of a password change
request we create (after the first one) will include sequence numbers which
look "wrong" to the recipient, because previously generating other KRB-PRIV
messages will mess with the counters in the auth_context. Because the
current code attempts to reuse auth_context structures (and changing that
would be more invasive), we'll just save the sequence number values as they
are after we build the AP-REQ, and restore them before generating requests.
RT#5867.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20195)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -34,6 +34,7 @@
#include "k5-int.h"
#include "os-proto.h"
#include "cm.h"
+#include "../krb/auth_con.h"
#include <stdio.h>
#include <errno.h>
@@ -48,6 +49,7 @@
krb5_principal set_password_for;
char *newpw;
krb5_data ap_req;
+ krb5_ui_4 remote_seq_num, local_seq_num;
};
@@ -159,6 +161,9 @@
&local_kaddr, NULL)))
goto cleanup;
+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+ ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
if (ctx->set_password_for)
code = krb5int_mk_setpw_req(ctx->context,
ctx->auth_context,
@@ -225,6 +230,9 @@
&callback_ctx.ap_req)))
goto cleanup;
+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
do {
if ((code = krb5_locate_kpasswd(callback_ctx.context,
krb5_princ_realm(callback_ctx.context,

41
krb5.changes
View File

@ -1,3 +1,44 @@
-------------------------------------------------------------------
Wed Jun 3 10:23:42 CEST 2009 - mc@suse.de
- update to final 1.7 release
-------------------------------------------------------------------
Wed May 13 11:30:42 CEST 2009 - mc@suse.de
- update to version 1.7 Beta2
* Incremental propagation support for the KDC database.
* Flexible Authentication Secure Tunneling (FAST), a preauthentiation
framework that can protect the AS exchange from dictionary attack.
* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which
allows a GSS application to request credential delegation only if
permitted by KDC policy.
* Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 --
various vulnerabilities in SPNEGO and ASN.1 code.
-------------------------------------------------------------------
Mon Feb 16 13:04:26 CET 2009 - mc@suse.de
- update to pre 1.7 version
* Remove support for version 4 of the Kerberos protocol (krb4).
* New libdefaults configuration variable "allow_weak_crypto".
* Client library now follows client principal referrals, for
compatibility with Windows.
* KDC can issue realm referrals for service principals based on domain
names.
* Encryption algorithm negotiation (RFC 4537).
* In the replay cache, use a hash over the complete ciphertext to
avoid false-positive replay indications.
* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is
similar to the equivalent SSPI functionality.
* DCE RPC, including three-leg GSS context setup and unencapsulated
GSS tokens.
* NTLM recognition support in GSS-API, to facilitate dropping in an
NTLM implementation.
* KDC support for principal aliases, if the back end supports them.
* Microsoft set/change password (RFC 3244) protocol in kadmind.
* Master key rollover support.
-------------------------------------------------------------------
Wed Jan 14 09:21:36 CET 2009 - olh@suse.de

865
krb5.spec
View File

File diff suppressed because it is too large Load Diff

5
pre_checkin.sh Normal file
View File

@ -0,0 +1,5 @@
#!/bin/sh
sed -e 's/Name:.*/Name: krb5-mini/g;' \
-e 's/%define.*build_mini.*/%define build_mini 1/g' krb5.spec > krb5-mini.spec
cp krb5.changes krb5-mini.changes

35
trunk-EncryptWithMasterKey.dif
View File

@ -1,35 +0,0 @@
Index: src/kadmin/dbutil/Makefile.in
===================================================================
--- src/kadmin/dbutil/Makefile.in.orig
+++ src/kadmin/dbutil/Makefile.in
@@ -19,21 +19,28 @@ SRCS = kdb5_util.c kdb5_create.c kadm5_c
OBJS = kdb5_util.o kdb5_create.o kadm5_create.o string_table.o kdb5_destroy.o kdb5_stash.o import_err.o strtok.o dump.o ovload.o
-all:: $(PROG)
+all:: $(PROG) EncryptWithMasterKey
$(PROG): $(OBJS) $(KADMSRV_DEPLIBS) $(KRB4COMPAT_DEPLIBS)
$(CC_LINK) -o $(PROG) $(OBJS) $(KADMSRV_LIBS) $(KDB_DEP_LIB) $(KRB4COMPAT_LIBS)
+EncryptWithMasterKey: EncryptWithMasterKey.o
+ $(CC_LINK) -o EncryptWithMasterKey EncryptWithMasterKey.o $(KRB5_BASE_LIBS)
+
+EncryptWithMasterKey.o: EncryptWithMasterKey.c
+
+
import_err.c import_err.h: $(srcdir)/import_err.et
$(OBJS): import_err.h
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
+ $(INSTALL_PROGRAM) EncryptWithMasterKey ${DESTDIR}$(ADMIN_BINDIR)/EncryptWithMasterKey
$(INSTALL_DATA) $(srcdir)/$(PROG).M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).8
clean::
- $(RM) $(PROG) $(OBJS) import_err.c import_err.h
+ $(RM) $(PROG) $(OBJS) import_err.c import_err.h EncryptWithMasterKey EncryptWithMasterKey.o
# +++ Dependency line eater +++
#

4
vendor-files.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:d6c325cc28c01e7e51fc96e3b966bb741060efb11a3b154b1ec0f07986a9571f
size 186676
oid sha256:50ad02a920579585da9d44999c680c731ba9c2530fbc542e3298eacab1286617
size 182015

15
warning-fix-lib-crypto-des.dif
View File

@ -1,15 +0,0 @@
# fix warning:
# string2key.c: In function 'mit_des_string_to_key_int':
# string2key.c:229: warning: pointer targets in passing argument 1 of 'mit_des_cbc_cksum' differ in signedness
#
--- src/lib/crypto/des/string2key.c
+++ src/lib/crypto/des/string2key.c 2006/06/21 08:16:12
@@ -44,7 +44,7 @@
krb5_ui_4 x, y, z;
unsigned char *p;
des_key_schedule sched;
- char *copy;
+ unsigned char *copy;
size_t copylen;
/* As long as the architecture is big-endian or little-endian, it

169
warning-fix-lib-crypto-dk.dif
View File

@ -1,169 +0,0 @@
# warning fix for:
# derive.c:63: warning: pointer targets in assignment differ in signedness
# derive.c:66: warning: pointer targets in assignment differ in signedness
# derive.c:75: warning: pointer targets in passing argument 2 of 'krb5_nfold' differ in signedness
# derive.c:75: warning: pointer targets in passing argument 4 of 'krb5_nfold' differ in signedness
# derive.c:96: warning: pointer targets in assignment differ in signedness
# derive.c: In function 'krb5_derive_random':
# derive.c:148: warning: pointer targets in assignment differ in signedness
# derive.c:151: warning: pointer targets in assignment differ in signedness
# derive.c:160: warning: pointer targets in passing argument 2 of 'krb5_nfold' differ in signedness
# derive.c:160: warning: pointer targets in passing argument 4 of 'krb5_nfold' differ in signedness
#
# dk_decrypt.c:153: warning: pointer targets in assignment differ in signedness
#
# dk_encrypt.c: In function 'krb5_dk_encrypt':
# dk_encrypt.c:98: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:119: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:132: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:141: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c: In function 'krb5int_aes_dk_encrypt':
# dk_encrypt.c:263: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:284: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:298: warning: pointer targets in assignment differ in signedness
# dk_encrypt.c:308: warning: pointer targets in assignment differ in signedness
#
--- src/lib/crypto/dk/derive.c
+++ src/lib/crypto/dk/derive.c 2006/06/21 10:13:47
@@ -60,10 +60,10 @@
return(ENOMEM);
}
- inblock.data = inblockdata;
+ inblock.data = (char*)inblockdata;
inblock.length = blocksize;
- outblock.data = outblockdata;
+ outblock.data = (char*)outblockdata;
outblock.length = blocksize;
/* initialize the input block */
@@ -71,8 +71,8 @@
if (in_constant->length == inblock.length) {
memcpy(inblock.data, in_constant->data, inblock.length);
} else {
- krb5_nfold(in_constant->length*8, in_constant->data,
- inblock.length*8, inblock.data);
+ krb5_nfold(in_constant->length*8, (unsigned char*)in_constant->data,
+ inblock.length*8, (unsigned char*)inblock.data);
}
/* loop encrypting the blocks until enough key bytes are generated */
@@ -93,7 +93,7 @@
/* postprocess the key */
- inblock.data = rawkey;
+ inblock.data = (char*)rawkey;
inblock.length = keybytes;
(*(enc->make_key))(&inblock, outkey);
@@ -145,10 +145,10 @@
return(ENOMEM);
}
- inblock.data = inblockdata;
+ inblock.data = (char*)inblockdata;
inblock.length = blocksize;
- outblock.data = outblockdata;
+ outblock.data = (char*)outblockdata;
outblock.length = blocksize;
/* initialize the input block */
@@ -156,8 +156,8 @@
if (in_constant->length == inblock.length) {
memcpy(inblock.data, in_constant->data, inblock.length);
} else {
- krb5_nfold(in_constant->length*8, in_constant->data,
- inblock.length*8, inblock.data);
+ krb5_nfold(in_constant->length*8, (unsigned char*)in_constant->data,
+ inblock.length*8, (unsigned char*)inblock.data);
}
/* loop encrypting the blocks until enough key bytes are generated */
--- src/lib/crypto/dk/dk_decrypt.c
+++ src/lib/crypto/dk/dk_decrypt.c 2006/06/21 10:13:47
@@ -150,7 +150,7 @@
cn = (unsigned char *) d1.data + d1.length - blocksize;
else if (ivec_mode == 1) {
int nblocks = (d1.length + blocksize - 1) / blocksize;
- cn = d1.data + blocksize * (nblocks - 2);
+ cn = (unsigned char *) d1.data + blocksize * (nblocks - 2);
} else
abort();
} else
--- src/lib/crypto/dk/dk_encrypt.c
+++ src/lib/crypto/dk/dk_encrypt.c 2006/06/21 10:19:00
@@ -95,7 +95,7 @@
/* derive the keys */
- d1.data = constantdata;
+ d1.data = (char*)constantdata;
d1.length = K5CLENGTH;
d1.data[0] = (usage>>24)&0xff;
@@ -116,7 +116,7 @@
/* put together the plaintext */
d1.length = blocksize;
- d1.data = plaintext;
+ d1.data = (char*)plaintext;
if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
goto cleanup;
@@ -129,7 +129,7 @@
/* encrypt the plaintext */
d1.length = plainlen;
- d1.data = plaintext;
+ d1.data = (char*)plaintext;
d2.length = plainlen;
d2.data = output->data;
@@ -138,7 +138,7 @@
goto cleanup;
if (ivec != NULL && ivec->length == blocksize)
- cn = d2.data + d2.length - blocksize;
+ cn = (unsigned char*)d2.data + d2.length - blocksize;
else
cn = NULL;
@@ -260,7 +260,7 @@
/* derive the keys */
- d1.data = constantdata;
+ d1.data = (char*)constantdata;
d1.length = K5CLENGTH;
d1.data[0] = (usage>>24)&0xff;
@@ -281,7 +281,7 @@
/* put together the plaintext */
d1.length = blocksize;
- d1.data = plaintext;
+ d1.data = (char*)plaintext;
if ((ret = krb5_c_random_make_octets(/* XXX */ 0, &d1)))
goto cleanup;
@@ -295,7 +295,7 @@
/* encrypt the plaintext */
d1.length = plainlen;
- d1.data = plaintext;
+ d1.data = (char*)plaintext;
d2.length = plainlen;
d2.data = output->data;
@@ -305,7 +305,7 @@
if (ivec != NULL && ivec->length == blocksize) {
int nblocks = (d2.length + blocksize - 1) / blocksize;
- cn = d2.data + blocksize * (nblocks - 2);
+ cn = (unsigned char*)d2.data + blocksize * (nblocks - 2);
} else
cn = NULL;

77
warning-fix-lib-crypto-enc_provider.dif
View File

@ -1,77 +0,0 @@
# fix warnings for:
# aes.c: In function 'krb5int_aes_encrypt':
# aes.c:72: warning: pointer targets in passing argument 1 of 'krb5int_aes_enc_blk' differ in signedness
# aes.c:72: warning: pointer targets in passing argument 2 of 'krb5int_aes_enc_blk' differ in signedness
# aes.c:77: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:86: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:94: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:94: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness
# aes.c: In function 'krb5int_aes_decrypt':
# aes.c:127: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness
# aes.c:127: warning: pointer targets in passing argument 2 of 'krb5int_aes_dec_blk' differ in signedness
# aes.c:131: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness
# aes.c:132: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:132: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness
# aes.c:138: warning: pointer targets in passing argument 1 of 'krb5int_aes_dec_blk' differ in signedness
# aes.c:145: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:145: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness
# aes.c:154: warning: pointer targets in passing argument 1 of 'xorblock' differ in signedness
# aes.c:154: warning: pointer targets in passing argument 2 of 'xorblock' differ in signedness
#
--- src/lib/crypto/enc_provider/aes.c
+++ src/lib/crypto/enc_provider/aes.c 2006/06/21 10:50:23
@@ -40,7 +40,7 @@
#define enc(OUT, IN, CTX) (aes_enc_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
#define dec(OUT, IN, CTX) (aes_dec_blk((IN),(OUT),(CTX)) == aes_good ? (void) 0 : abort())
-static void xorblock(char *out, const char *in)
+static void xorblock(unsigned char *out, const unsigned char *in)
{
int z;
for (z = 0; z < BLOCK_SIZE; z++)
@@ -69,12 +69,12 @@
if (nblocks == 1) {
/* XXX Used for DK function. */
- enc(output->data, input->data, &ctx);
+ enc((unsigned char*)output->data, (unsigned char*)input->data, &ctx);
} else {
unsigned int nleft;
for (blockno = 0; blockno < nblocks - 2; blockno++) {
- xorblock(tmp, input->data + blockno * BLOCK_SIZE);
+ xorblock(tmp, (unsigned char*) input->data + blockno * BLOCK_SIZE);
enc(tmp2, tmp, &ctx);
memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
@@ -83,7 +83,7 @@
}
/* Do final CTS step for last two blocks (the second of which
may or may not be incomplete). */
- xorblock(tmp, input->data + (nblocks - 2) * BLOCK_SIZE);
+ xorblock(tmp, (unsigned char*) input->data + (nblocks - 2) * BLOCK_SIZE);
enc(tmp2, tmp, &ctx);
nleft = input->length - (nblocks - 1) * BLOCK_SIZE;
memcpy(output->data + (nblocks - 1) * BLOCK_SIZE, tmp2, nleft);
@@ -124,18 +124,18 @@
if (nblocks == 1) {
if (input->length < BLOCK_SIZE)
abort();
- dec(output->data, input->data, &ctx);
+ dec((unsigned char*)output->data, (unsigned char*) input->data, &ctx);
} else {
for (blockno = 0; blockno < nblocks - 2; blockno++) {
- dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
+ dec(tmp2, (unsigned char*)input->data + blockno * BLOCK_SIZE, &ctx);
xorblock(tmp2, tmp);
memcpy(output->data + blockno * BLOCK_SIZE, tmp2, BLOCK_SIZE);
memcpy(tmp, input->data + blockno * BLOCK_SIZE, BLOCK_SIZE);
}
/* Do last two blocks, the second of which (next-to-last block
of plaintext) may be incomplete. */
- dec(tmp2, input->data + (nblocks - 2) * BLOCK_SIZE, &ctx);
+ dec(tmp2, (unsigned char*) input->data + (nblocks - 2) * BLOCK_SIZE, &ctx);
/* Set tmp3 to last ciphertext block, padded. */
memset(tmp3, 0, sizeof(tmp3));
memcpy(tmp3, input->data + (nblocks - 1) * BLOCK_SIZE,

27
warning-fix-lib-crypto-yarrow_arcfour.dif
View File

@ -1,27 +0,0 @@
# warning fixes for:
# arcfour_s2k.c:46: warning: pointer targets in passing argument 2 of 'asctouni' differ in signedness
#
# ycipher.c:77: warning: pointer targets in assignment differ in signedness
#
--- src/lib/crypto/arcfour/arcfour_s2k.c
+++ src/lib/crypto/arcfour/arcfour_s2k.c 2006/06/21 10:55:47
@@ -43,7 +43,7 @@
return ENOMEM;
/* make the string. start by creating the unicode version of the password*/
- asctouni(copystr, string->data, slen );
+ asctouni(copystr, (unsigned char*)string->data, slen );
/* the actual MD4 hash of the data */
krb5_MD4Init(&md4_context);
--- src/lib/crypto/yarrow/ycipher.c
+++ src/lib/crypto/yarrow/ycipher.c 2006/06/21 10:56:48
@@ -74,7 +74,7 @@
const struct krb5_enc_provider *enc = &yarrow_enc_provider;
ind.data = (char *) in;
ind.length = CIPHER_BLOCK_SIZE;
- outd.data = out;
+ outd.data = (char*)out;
outd.length = CIPHER_BLOCK_SIZE;
ret = enc->encrypt (&ctx->key, 0, &ind, &outd);
if (ret)

76
warning-fix-lib-crypto.dif
View File

@ -1,76 +0,0 @@
# warning fix for:
# old_api_glue.c: In function 'krb5_encrypt':
# old_api_glue.c:49: warning: assignment discards qualifiers from pointer target type
# old_api_glue.c: In function 'krb5_decrypt':
# old_api_glue.c:85: warning: assignment discards qualifiers from pointer target type
# old_api_glue.c: In function 'krb5_calculate_checksum':
# old_api_glue.c:206: warning: assignment discards qualifiers from pointer target type
# old_api_glue.c:210: warning: assignment discards qualifiers from pointer target type
# old_api_glue.c: In function 'krb5_verify_checksum':
# old_api_glue.c:242: warning: assignment discards qualifiers from pointer target type
# old_api_glue.c:246: warning: assignment discards qualifiers from pointer target type
#
# pbkdf2.c:86: warning: pointer targets in assignment differ in signedness
#
# prng.c:33: warning: 'init_error' defined but not used
#
--- src/lib/crypto/old_api_glue.c
+++ src/lib/crypto/old_api_glue.c 2006/06/21 10:23:07
@@ -46,7 +46,7 @@
/* size is the length of the input cleartext data */
inputd.length = size;
- inputd.data = inptr;
+ inputd.data = (char*)inptr;
/* The size of the output buffer isn't part of the old api. Not too
safe. So, we assume here that it's big enough. */
@@ -82,7 +82,7 @@
/* size is the length of the input ciphertext data */
inputd.enctype = eblock->key->enctype;
inputd.ciphertext.length = size;
- inputd.ciphertext.data = inptr;
+ inputd.ciphertext.data = (char*)inptr;
/* we don't really know how big this is, but the code tends to assume
that the output buffer size should be the same as the input
@@ -203,11 +203,11 @@
krb5_error_code ret;
krb5_checksum cksum;
- input.data = in;
+ input.data = (char*)in;
input.length = in_length;
key.length = seed_length;
- key.contents = seed;
+ key.contents = (krb5_octet*)seed;
if ((ret = krb5_c_make_checksum(context, ctype, &key, 0, &input, &cksum)))
return(ret);
@@ -239,11 +239,11 @@
krb5_error_code ret;
krb5_boolean valid;
- input.data = in;
+ input.data = (char*)in;
input.length = in_length;
key.length = seed_length;
- key.contents = seed;
+ key.contents = (krb5_octet*)seed;
if ((ret = krb5_c_verify_checksum(context, &key, 0, &input, cksum,
&valid)))
--- src/lib/crypto/pbkdf2.c
+++ src/lib/crypto/pbkdf2.c 2006/06/21 10:25:54
@@ -83,7 +83,7 @@
krb5_data out;
krb5_error_code err;
- pdata.contents = pass->data;
+ pdata.contents = (krb5_octet*) pass->data;
pdata.length = pass->length;
#if 0