rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity

- add post 1.8 fixes

Browse Source 
* Add IPv6 support to changepw.c
  * fix two problems in kadm5_get_principal mask handling 
  * Ignore improperly encoded signedpath AD elements
  * handle NT_SRV_INST in service principal referrals
  * dereference options while checking 
    KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
  * Fix the kpasswd fallback from the ccache principal name
  * Document the ticket_lifetime libdefaults setting
  * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512

OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=13
This commit is contained in:
Michael Calmer 2010-03-23 11:40:55 +00:00 committed by Git OBS Bridge
parent 2e036bfdfd
commit f9e6d882fd
26 changed files with 572 additions and 977 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
README.Source
View File

@ -1,9 +0,0 @@
Because of potential legal risk we have removed the
file "src/appl/telnet/libtelnet/spx.c" from the
source tarball.
If you want to see the original sources you can download
them from
http://web.mit.edu/kerberos/www/ .

38
krb5-1.4.3-enospc.dif
View File

@ -1,24 +1,24 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
Index: krb5-1.7/src/clients/kinit/kinit.c
Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c
===================================================================
--- krb5-1.7.orig/src/clients/kinit/kinit.c
+++ krb5-1.7/src/clients/kinit/kinit.c
@@ -670,8 +670,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc,
opts->canonicalize ? my_creds.client : k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
+ if ((code == KRB5_CC_IO) && (errno != 0)) {
+ com_err(progname, code, "when initializing cache %s: %s",
+ opts->k5_cache_name?opts->k5_cache_name:"",
+ strerror(errno));
+ } else {
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ }
goto cleanup;
}
--- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c
+++ krb5-1.8-alpha1/src/clients/kinit/kinit.c
@@ -712,8 +712,14 @@ k5_kinit(opts, k5)
code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ?
my_creds.client : k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
+ if ((code == KRB5_CC_IO) && (errno != 0)) {
+ com_err(progname, code, "when initializing cache %s: %s",
+ opts->k5_cache_name?opts->k5_cache_name:"",
+ strerror(errno));
+ } else {
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ }
goto cleanup;
}

13
krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
View File

@ -1,13 +0,0 @@
Index: src/appl/gssftp/ftp/ftp.c
===================================================================
--- src/appl/gssftp/ftp/ftp.c.orig
+++ src/appl/gssftp/ftp/ftp.c
@@ -1912,7 +1912,7 @@ int do_auth()
#ifdef GSSAPI
if (command("AUTH %s", "GSSAPI") == CONTINUE) {
- OM_uint32 maj_stat, min_stat, dummy_stat;
+ OM_uint32 maj_stat = GSS_S_FAILURE , min_stat, dummy_stat;
gss_name_t target_name;
gss_buffer_desc send_tok, recv_tok, *token_ptr;
char stbuf[FTP_BUFSIZ];

10
krb5-1.5.1-fix-var-used-before-value-set.dif
View File

@ -1,10 +0,0 @@
--- src/appl/telnet/telnetd/utility.c
+++ src/appl/telnet/telnetd/utility.c 2006/11/06 10:34:09
@@ -127,6 +127,7 @@
}
tv.tv_sec = 1;
tv.tv_usec = 0;
+ FD_ZERO(&fds);
FD_SET(net, &fds);
while (select(net + 1, &fds, NULL, NULL, &tv) == 1)

2
krb5-1.6.1-compile_pie.dif
View File

@ -15,7 +15,7 @@ Index: src/config/shlib.conf
===================================================================
--- src/config/shlib.conf.orig
+++ src/config/shlib.conf
@@ -420,7 +420,8 @@ mips-*-netbsd*)
@@ -419,7 +419,8 @@ mips-*-netbsd*)
PROFFLAGS=-pg
RPATH_FLAG='-Wl,-rpath -Wl,'
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'

54
krb5-1.6.3-fix-ipv6-query.dif
View File

@ -1,9 +1,9 @@
Index: trunk/src/lib/krb5/os/hostaddr.c
Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c
===================================================================
--- trunk.orig/src/lib/krb5/os/hostaddr.c
+++ trunk/src/lib/krb5/os/hostaddr.c
@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c
@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c
return KRB5_ERR_BAD_HOSTNAME;
memset (&hints, 0, sizeof (hints));
- hints.ai_flags = AI_NUMERICHOST;
@ -11,11 +11,11 @@ Index: trunk/src/lib/krb5/os/hostaddr.c
/* We don't care what kind at this point, really, but without
this, we can get back multiple sockaddrs per address, for
SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if
Index: trunk/src/lib/krb5/os/hst_realm.c
Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c
===================================================================
--- trunk.orig/src/lib/krb5/os/hst_realm.c
+++ trunk/src/lib/krb5/os/hst_realm.c
@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c
@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz
int err;
memset (&hints, 0, sizeof (hints));
@ -23,12 +23,12 @@ Index: trunk/src/lib/krb5/os/hst_realm.c
+ hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG;
err = getaddrinfo (name, 0, &hints, &ai);
if (err)
return krb5int_translate_gai_error (err);
Index: trunk/src/lib/krb5/os/locate_kdc.c
return krb5int_translate_gai_error (err);
Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c
===================================================================
--- trunk.orig/src/lib/krb5/os/locate_kdc.c
+++ trunk/src/lib/krb5/os/locate_kdc.c
@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c
@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis
memset(&hint, 0, sizeof(hint));
hint.ai_family = family;
hint.ai_socktype = socktype;
@ -37,18 +37,18 @@ Index: trunk/src/lib/krb5/os/locate_kdc.c
- hint.ai_flags = AI_NUMERICSERV;
+ hint.ai_flags |= AI_NUMERICSERV;
#endif
if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf))
/* XXX */
Index: trunk/src/lib/krb5/os/sn2princ.c
result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port));
if (SNPRINTF_OVERFLOW(result, sizeof(portbuf)))
Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c
===================================================================
--- trunk.orig/src/lib/krb5/os/sn2princ.c
+++ trunk/src/lib/krb5/os/sn2princ.c
@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con
--- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c
+++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c
@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_INET;
- hints.ai_flags = AI_CANONNAME;
+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG;
try_getaddrinfo_again:
err = getaddrinfo(hostname, 0, &hints, &ai);
if (err) {

53
krb5-1.6.3-kpasswd_tcp.patch
View File

@ -5,31 +5,30 @@ Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co
NULL,
NULL
))) {
-
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}
@@ -271,10 +271,22 @@ change_set_password(krb5_context context
NULL
))) {
- /*
- * Here we may want to switch to TCP on some errors.
- * right?
- */
+ /* if we're not using a stream socket, and it's an error which
+ * might reasonably be specific to a datagram "connection", try
+ * again with a stream socket */
+ if (!useTcp) {
+ switch (code) {
+ case KRB5_KDC_UNREACH:
+ case KRB5_REALM_CANT_RESOLVE:
+ case KRB5KRB_ERR_RESPONSE_TOO_BIG:
+ /* should we do this for more result codes than these? */
+ krb5int_free_addrlist (&al);
+ useTcp = 1;
+ continue;
+ default:
+ break;
+ }
+ }
break;
}

28
krb5-1.6.3-kprop-use-mkstemp.dif
View File

@ -2,18 +2,18 @@ Index: src/slave/kprop.c
===================================================================
--- src/slave/kprop.c.orig
+++ src/slave/kprop.c
@@ -215,6 +215,7 @@ void get_tickets(context)
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
@@ -206,6 +206,7 @@ void get_tickets(context)
krb5_error_code retval;
static char tkstring[] = "/tmp/kproptktXXXXXX";
krb5_keytab keytab = NULL;
+ int ret = 0;
/*
* Figure out what tickets we'll be using to send stuff
@@ -240,7 +241,15 @@ void get_tickets(context)
/*
* Initialize cache file which we're going to be using
*/
/*
* Figure out what tickets we'll be using to send stuff
@@ -231,7 +232,15 @@ void get_tickets(context)
/*
* Initialize cache file which we're going to be using
*/
+#ifdef HAVE_MKSTEMP
+ ret = mkstemp(tkstring);
+ if (ret == -1) {
@ -21,8 +21,8 @@ Index: src/slave/kprop.c
+ exit(1);
+ } else close(ret);
+#else
(void) mktemp(tkstring);
(void) mktemp(tkstring);
+#endif
snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
snprintf(buf, sizeof(buf), "FILE:%s", tkstring);
retval = krb5_cc_resolve(context, buf, &ccache);
retval = krb5_cc_resolve(context, buf, &ccache);

27
krb5-1.7-MITKRB5-SA-2009-003.dif
View File

@ -1,27 +0,0 @@
Index: krb5-1.7/src/kdc/do_tgs_req.c
===================================================================
--- krb5-1.7.orig/src/kdc/do_tgs_req.c
+++ krb5-1.7/src/kdc/do_tgs_req.c
@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request
free(temp_buf);
if (retval) {
/* no match found */
- kdc_err(kdc_context, retval, 0);
+ kdc_err(kdc_context, retval, "unable to find realm of host");
goto cleanup;
}
if (realms == 0) {
Index: krb5-1.7/src/lib/kadm5/logger.c
===================================================================
--- krb5-1.7.orig/src/lib/kadm5/logger.c
+++ krb5-1.7/src/lib/kadm5/logger.c
@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo
char *cp;
char *syslogp;
+ if (whoami == NULL || format == NULL)
+ return;
+
/* Make the header */
snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
/*

377
krb5-1.7-MITKRB5-SA-2009-004.dif
View File

@ -1,377 +0,0 @@
Index: krb5-1.7/src/lib/crypto/Makefile.in
===================================================================
--- krb5-1.7.orig/src/lib/crypto/Makefile.in
+++ krb5-1.7/src/lib/crypto/Makefile.in
@@ -18,6 +18,7 @@ EXTRADEPSRCS=\
$(srcdir)/t_nfold.c \
$(srcdir)/t_cf2.c \
$(srcdir)/t_encrypt.c \
+ $(srcdir)/t_short.c \
$(srcdir)/t_prf.c \
$(srcdir)/t_prng.c \
$(srcdir)/t_hmac.c \
@@ -206,7 +207,7 @@ libcrypto.lib:
clean-unix:: clean-liblinks clean-libs clean-libobjs
-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2
+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short
$(RUN_SETUP) $(VALGRIND) ./t_nfold
$(RUN_SETUP) $(VALGRIND) ./t_encrypt
$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p
diff t_prf.output $(srcdir)/t_prf.expected
$(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
diff t_cf2.output $(srcdir)/t_cf2.expected
+ $(RUN_SETUP) $(VALGRIND) ./t_short
# $(RUN_SETUP) $(VALGRIND) ./t_pkcs5
@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO
$(CC_LINK) -o $@ t_cts.$(OBJEXT) \
$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB)
+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \
+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
clean::
$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o
+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
+ t_cf2 t_cf2.o t_short t_short.o
-$(RM) t_prng.output
all-windows::
Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c
+++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c
@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e
keylength = enc->keylength;
hashsize = hash->hashsize;
+ /* Verify input and output lengths. */
+ if (input->length < hashsize + CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
+ return KRB5_BAD_MSIZE;
+
d1.length=keybytes;
d1.data=malloc(d1.length);
if (d1.data == NULL)
Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c
+++ krb5-1.7/src/lib/crypto/enc_provider/aes.c
@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock
nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
if (nblocks == 1) {
- /* XXX Used for DK function. */
+ /* Used when deriving keys. */
+ if (input->length < BLOCK_SIZE)
+ return KRB5_BAD_MSIZE;
enc(output->data, input->data, &ctx);
- } else {
+ } else if (nblocks > 1) {
unsigned int nleft;
for (blockno = 0; blockno < nblocks - 2; blockno++) {
@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock
if (nblocks == 1) {
if (input->length < BLOCK_SIZE)
- abort();
+ return KRB5_BAD_MSIZE;
dec(output->data, input->data, &ctx);
- } else {
+ } else if (nblocks > 1) {
for (blockno = 0; blockno < nblocks - 2; blockno++) {
dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl
char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
int nblocks = 0, blockno;
size_t input_length, i;
+ struct iov_block_state input_pos, output_pos;
if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
abort();
@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl
input_length += iov->data.length;
}
- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
- {
+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
+ if (nblocks == 1) {
+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
+ data, num_data, &input_pos);
+ enc(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
+ BLOCK_SIZE, &output_pos);
+ } else if (nblocks > 1) {
char blockN2[BLOCK_SIZE]; /* second last */
char blockN1[BLOCK_SIZE]; /* last block */
- struct iov_block_state input_pos, output_pos;
-
- IOV_BLOCK_STATE_INIT(&input_pos);
- IOV_BLOCK_STATE_INIT(&output_pos);
for (blockno = 0; blockno < nblocks - 2; blockno++) {
char blockN[BLOCK_SIZE];
@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl
char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
int nblocks = 0, blockno, i;
size_t input_length;
+ struct iov_block_state input_pos, output_pos;
CHECK_SIZES;
@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl
if (ENCRYPT_IOV(iov))
input_length += iov->data.length;
}
+ IOV_BLOCK_STATE_INIT(&input_pos);
+ IOV_BLOCK_STATE_INIT(&output_pos);
nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
- assert(nblocks > 1);
-
- {
+ if (nblocks == 1) {
+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
+ data, num_data, &input_pos);
+ dec(tmp2, tmp, &ctx);
+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
+ BLOCK_SIZE, &output_pos);
+ } else if (nblocks > 1) {
char blockN2[BLOCK_SIZE]; /* second last */
char blockN1[BLOCK_SIZE]; /* last block */
- struct iov_block_state input_pos, output_pos;
-
- IOV_BLOCK_STATE_INIT(&input_pos);
- IOV_BLOCK_STATE_INIT(&output_pos);
for (blockno = 0; blockno < nblocks - 2; blockno++) {
char blockN[BLOCK_SIZE];
Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c
+++ krb5-1.7/src/lib/crypto/old/old_decrypt.c
@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p
blocksize = enc->block_size;
hashsize = hash->hashsize;
+ /* Verify input and output lengths. */
+ if (input->length < blocksize + hashsize || input->length % blocksize != 0)
+ return(KRB5_BAD_MSIZE);
plainsize = input->length - blocksize - hashsize;
-
if (arg_output->length < plainsize)
return(KRB5_BAD_MSIZE);
Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c
+++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c
@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p
const krb5_data *ivec, const krb5_data *input,
krb5_data *output)
{
- return((*(enc->decrypt))(key, ivec, input, output));
+ if (output->length < input->length)
+ return KRB5_BAD_MSIZE;
+ return((*(enc->decrypt))(key, ivec, input, output));
}
Index: krb5-1.7/src/lib/crypto/t_short.c
===================================================================
--- /dev/null
+++ krb5-1.7/src/lib/crypto/t_short.c
@@ -0,0 +1,128 @@
+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
+/*
+ * lib/crypto/crypto_tests/t_short.c
+ *
+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ * Tests the outcome of decrypting overly short tokens. This program can be
+ * run under a tool like valgrind to detect bad memory accesses; when run
+ * normally by the test suite, it verifies that each operation returns
+ * KRB5_BAD_MSIZE.
+ */
+
+#include "k5-int.h"
+
+
+krb5_enctype interesting_enctypes[] = {
+ ENCTYPE_DES_CBC_CRC,
+ ENCTYPE_DES_CBC_MD4,
+ ENCTYPE_DES_CBC_MD5,
+ ENCTYPE_DES3_CBC_SHA1,
+ ENCTYPE_ARCFOUR_HMAC,
+ ENCTYPE_ARCFOUR_HMAC_EXP,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+ 0
+};
+
+/* Abort if an operation unexpectedly fails. */
+static void
+x(krb5_error_code code)
+{
+ if (code != 0)
+ abort();
+}
+
+/* Abort if a decrypt operation doesn't have the expected result. */
+static void
+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
+{
+ if (len < min_len) {
+ /* Undersized tokens should always result in BAD_MSIZE. */
+ if (code != KRB5_BAD_MSIZE)
+ abort();
+ } else {
+ /* Min-size tokens should succeed or fail the integrity check. */
+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ abort();
+ }
+}
+
+static void
+test_enctype(krb5_enctype enctype)
+{
+ krb5_error_code ret;
+ krb5_keyblock keyblock;
+ krb5_enc_data input;
+ krb5_data output;
+ krb5_crypto_iov iov[2];
+ unsigned int dummy;
+ size_t min_len, len;
+
+ printf("Testing enctype %d\n", (int) enctype);
+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
+ x(krb5_c_make_random_key(NULL, enctype, &keyblock));
+ input.enctype = enctype;
+
+ /* Try each length up to the minimum length. */
+ for (len = 0; len <= min_len; len++) {
+ input.ciphertext.data = calloc(len, 1);
+ input.ciphertext.length = len;
+ output.data = calloc(len, 1);
+ output.length = len;
+
+ /* Attempt a normal decryption. */
+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
+ check_decrypt_result(ret, len, min_len);
+
+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER,
+ &dummy) == 0) {
+ /* Attempt an IOV stream decryption. */
+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
+ iov[0].data = input.ciphertext;
+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
+ iov[1].data.data = NULL;
+ iov[1].data.length = 0;
+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2);
+ check_decrypt_result(ret, len, min_len);
+ }
+
+ free(input.ciphertext.data);
+ free(output.data);
+ }
+}
+
+int
+main(int argc, char **argv)
+{
+ int i;
+ krb5_data notrandom;
+
+ notrandom.data = "notrandom";
+ notrandom.length = 9;
+ krb5_c_random_seed(NULL, &notrandom);
+ for (i = 0; interesting_enctypes[i]; i++)
+ test_enctype(interesting_enctypes[i]);
+ return 0;
+}
+
Index: krb5-1.7/src/lib/crypto/deps
===================================================================
--- krb5-1.7.orig/src/lib/crypto/deps
+++ krb5-1.7/src/lib/crypto/deps
@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc
$(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
$(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
$(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c
+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
+ t_short.c
t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
$(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
$(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c
+++ krb5-1.7/src/lib/crypto/dk/dk_aead.c
@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5
for (i = 0; i < num_data; i++) {
const krb5_crypto_iov *iov = &data[i];
- if (ENCRYPT_DATA_IOV(iov))
+ if (ENCRYPT_IOV(iov))
cipherlen += iov->data.length;
}
Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
===================================================================
--- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c
+++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c
@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s
else if (hmacsize > hashsize)
return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+ /* Verify input and output lengths. */
+ if (input->length < blocksize + hmacsize)
+ return KRB5_BAD_MSIZE;
+ if (output->length < input->length - blocksize - hmacsize)
+ return KRB5_BAD_MSIZE;
+
enclen = input->length - hmacsize;
if ((kedata = (unsigned char *) malloc(keylength)) == NULL)

108
krb5-1.7-manpaths.dif
View File

@ -1,43 +1,9 @@
Index: krb5-1.7/src/appl/bsd/klogind.M
Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.7.orig/src/appl/bsd/klogind.M
+++ krb5-1.7/src/appl/bsd/klogind.M
@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when
the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIklogind\fP might be:
-klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c
+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c
When a service request is received, the following protocol is initiated:
Index: krb5-1.7/src/appl/bsd/kshd.M
===================================================================
--- krb5-1.7.orig/src/appl/bsd/kshd.M
+++ krb5-1.7/src/appl/bsd/kshd.M
@@ -8,7 +8,7 @@
.SH NAME
kshd \- kerberized remote shell server
.SH SYNOPSIS
-.B /usr/local/sbin/kshd
+.B @mansbindir@/kshd
[
.B \-kr45ec
]
@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe
on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf
configuration line for \fIkrshd\fP might be:
-kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c
+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c
When a service request is received, the following protocol is initiated:
Index: krb5-1.7/src/appl/sample/sserver/sserver.M
===================================================================
--- krb5-1.7.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.7/src/appl/sample/sserver/sserver.M
--- krb5-1.8-alpha1.orig/src/appl/sample/sserver/sserver.M
+++ krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M
@@ -59,7 +59,7 @@ option allows for a different keytab tha
using a line in
/etc/inetd.conf that looks like this:
@ -47,23 +13,10 @@ Index: krb5-1.7/src/appl/sample/sserver/sserver.M
.PP
Since \fBsample\fP is normally not a port defined in /etc/services, you will
usually have to add a line to /etc/services which looks like this:
Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8
Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8
+++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8
@@ -37,7 +37,7 @@ telnetd \-
.SM DARPA TELNET
protocol server
.SH SYNOPSIS
-.B /usr/libexec/telnetd
+.B @manlibexecdir@/telnetd
[\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP]
[\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP]
[\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP]
Index: krb5-1.7/src/config-files/kdc.conf.M
===================================================================
--- krb5-1.7.orig/src/config-files/kdc.conf.M
+++ krb5-1.7/src/config-files/kdc.conf.M
--- krb5-1.8-alpha1.orig/src/config-files/kdc.conf.M
+++ krb5-1.8-alpha1/src/config-files/kdc.conf.M
@@ -82,14 +82,14 @@ This
.B string
specifies the location of the access control list (acl) file that
@ -81,7 +34,7 @@ Index: krb5-1.7/src/config-files/kdc.conf.M
.IP database_name
This
@@ -257,7 +257,7 @@ tickets should be checked against the tr
@@ -254,7 +254,7 @@ tickets should be checked against the tr
realm names and the [capaths] section of its krb5.conf file
.SH FILES
@ -90,12 +43,12 @@ Index: krb5-1.7/src/config-files/kdc.conf.M
.SH SEE ALSO
krb5.conf(5), krb5kdc(8)
Index: krb5-1.7/src/configure.in
Index: krb5-1.8-alpha1/src/configure.in
===================================================================
--- krb5-1.7.orig/src/configure.in
+++ krb5-1.7/src/configure.in
@@ -1041,6 +1041,69 @@ dnl
AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet)
--- krb5-1.8-alpha1.orig/src/configure.in
+++ krb5-1.8-alpha1/src/configure.in
@@ -1052,6 +1052,58 @@ if test "$ac_cv_lib_socket" = "yes" -a "
fi
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
+
@ -118,18 +71,8 @@ Index: krb5-1.7/src/configure.in
+AC_SUBST(manlocalstatedir)
+AC_SUBST(manlibexecdir)
+AC_OUTPUT([
+ appl/bsd/klogind.M
+ appl/bsd/kshd.M
+ appl/bsd/login.M
+ appl/bsd/rcp.M
+ appl/bsd/rlogin.M
+ appl/bsd/rsh.M
+ appl/gssftp/ftpd/ftpd.M
+ appl/gssftp/ftp/ftp.M
+ appl/sample/sclient/sclient.M
+ appl/sample/sserver/sserver.M
+ appl/telnet/telnetd/telnetd.8
+ appl/telnet/telnet/telnet.1
+ clients/kcpytkt/kcpytkt.M
+ clients/kdeltkt/kdeltkt.M
+ clients/kdestroy/kdestroy.M
@ -147,7 +90,6 @@ Index: krb5-1.7/src/configure.in
+ kadmin/cli/kadmin.M
+ kadmin/dbutil/kdb5_util.M
+ kadmin/ktutil/ktutil.M
+ kadmin/passwd/kpasswd.M
+ kadmin/server/kadmind.M
+ kdc/krb5kdc.M
+ krb5-config.M
@ -164,11 +106,11 @@ Index: krb5-1.7/src/configure.in
V5_AC_OUTPUT_MAKEFILE(.
util util/support util/profile util/send-pr
Index: krb5-1.7/src/kadmin/cli/kadmin.M
Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M
===================================================================
--- krb5-1.7.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.7/src/kadmin/cli/kadmin.M
@@ -850,9 +850,9 @@ option is specified, less verbose status
--- krb5-1.8-alpha1.orig/src/kadmin/cli/kadmin.M
+++ krb5-1.8-alpha1/src/kadmin/cli/kadmin.M
@@ -869,9 +869,9 @@ option is specified, less verbose status
.RS
.TP
EXAMPLE:
@ -180,7 +122,7 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M
kadmin:
.RE
.fi
@@ -894,7 +894,7 @@ passwords.
@@ -913,7 +913,7 @@ passwords.
.SH HISTORY
The
.B kadmin
@ -189,10 +131,10 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M
OpenVision Kerberos administration program.
.SH SEE ALSO
.IR kerberos (1),
Index: krb5-1.7/src/slave/kprop.M
Index: krb5-1.8-alpha1/src/slave/kprop.M
===================================================================
--- krb5-1.7.orig/src/slave/kprop.M
+++ krb5-1.7/src/slave/kprop.M
--- krb5-1.8-alpha1.orig/src/slave/kprop.M
+++ krb5-1.8-alpha1/src/slave/kprop.M
@@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv
This is done by transmitting the dumped database file to the slave
server over an encrypted, secure channel. The dump file must be created
@ -211,10 +153,10 @@ Index: krb5-1.7/src/slave/kprop.M
.TP
\fB\-P\fP \fIport\fP
specifies the port to use to contact the
Index: krb5-1.7/src/slave/kpropd.M
Index: krb5-1.8-alpha1/src/slave/kpropd.M
===================================================================
--- krb5-1.7.orig/src/slave/kpropd.M
+++ krb5-1.7/src/slave/kpropd.M
--- krb5-1.8-alpha1.orig/src/slave/kpropd.M
+++ krb5-1.8-alpha1/src/slave/kpropd.M
@@ -74,7 +74,7 @@ Normally, kpropd is invoked out of
This is done by adding a line to the inetd.conf file which looks like
this:
@ -222,7 +164,7 @@ Index: krb5-1.7/src/slave/kpropd.M
-kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
+kprop stream tcp nowait root @mansbindir@/kpropd kpropd
However, kpropd can also run as a standalone deamon, if the
However, kpropd can also run as a standalone daemon, if the
.B \-S
@@ -111,13 +111,13 @@ is used.
\fB\-f\fP \fIfile\fP

11
krb5-1.7-manpaths.txt
View File

@ -1,15 +1,5 @@
appl/bsd/klogind.M
appl/bsd/kshd.M
appl/bsd/login.M
appl/bsd/rcp.M
appl/bsd/rlogin.M
appl/bsd/rsh.M
appl/gssftp/ftpd/ftpd.M
appl/gssftp/ftp/ftp.M
appl/sample/sclient/sclient.M
appl/sample/sserver/sserver.M
appl/telnet/telnetd/telnetd.8
appl/telnet/telnet/telnet.1
clients/kcpytkt/kcpytkt.M
clients/kdeltkt/kdeltkt.M
clients/kdestroy/kdestroy.M
@ -27,7 +17,6 @@ kadmin/cli/kadmin.local.M
kadmin/cli/kadmin.M
kadmin/dbutil/kdb5_util.M
kadmin/ktutil/ktutil.M
kadmin/passwd/kpasswd.M
kadmin/server/kadmind.M
kdc/krb5kdc.M
krb5-config.M

3
krb5-1.7.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd
size 10407001

315
krb5-1.8-POST.dif Normal file
View File

@ -0,0 +1,315 @@
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo.orig
+++ doc/admin.texinfo
@@ -516,13 +516,6 @@ DCE do not support the default cache as
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
-@ignore
-@itemx tkt_lifetime
-The default lifetime of a ticket. The default is
-@value{DefaultTktLifetime}. This is currently not supported by the
-code.
-@end ignore
-
@itemx dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs and
other servers for a realm, if they are not listed in the information for
@@ -583,6 +576,11 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is @value{DefaultVerifyApReqNofail}.
+@itemx ticket_lifetime
+The value of this tag is the default lifetime for
+initial tickets. The default value for the tag is
+@value{DefaultTktLifetime}.
+
@itemx renew_lifetime
The value of this tag is the default renewable lifetime for
initial tickets. The default value for the tag is
Index: src/include/krb5/krb5.hin
===================================================================
--- src/include/krb5/krb5.hin.orig
+++ src/include/krb5/krb5.hin
@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex
#define KRB5_AUTHDATA_SESAME 65
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
-#define KRB5_AUTHDATA_SIGNTICKET 142
+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */
#define KRB5_AUTHDATA_FX_ARMOR 71
/* password change constants */
@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data {
krb5_octet *contents;
} krb5_pa_data;
+/* typed data */
+/*
+ * The FAST error handling logic currently assumes that this structure and
+ * krb5_pa_data * can be safely cast to each other if this structure changes,
+ * that code needs to be updated to copy.
+ */
+typedef struct _krb5_typed_data {
+ krb5_magic magic;
+ krb5_int32 type;
+ unsigned int length;
+ krb5_octet *data;
+} krb5_typed_data;
+
typedef struct _krb5_kdc_req {
krb5_magic magic;
krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
Index: src/include/k5-int-pkinit.h
===================================================================
--- src/include/k5-int-pkinit.h.orig
+++ src/include/k5-int-pkinit.h
@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca {
} u;
} krb5_trusted_ca;
-/* typed data */
-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other
- * if this structure changes, that code needs to be updated to copy.
- */
-typedef struct _krb5_typed_data {
- krb5_magic magic;
- krb5_int32 type;
- unsigned int length;
- krb5_octet *data;
-} krb5_typed_data;
-
/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
typedef struct _krb5_pa_pk_as_req_draft9 {
krb5_octet_data signedAuthPack;
Index: src/kdc/kdc_authdata.c
===================================================================
--- src/kdc/kdc_authdata.c.orig
+++ src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex
enc_sp.length = sp_authdata[0]->length;
code = decode_krb5_ad_signedpath(&enc_sp, &sp);
- if (code != 0)
+ if (code != 0) {
+ /* Treat an invalid signedpath authdata element as a missing one, since
+ * we believe MS is using the same number for something else. */
+ code = 0;
goto cleanup;
+ }
code = verify_ad_signedpath_checksum(context,
krbtgt,
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c.orig
+++ src/kdc/do_tgs_req.c
@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request
strlcpy(comp1_str,comp1->data,comp1->length+1);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
(krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
Index: src/clients/kpasswd/kpasswd.c
===================================================================
--- src/clients/kpasswd/kpasswd.c.orig
+++ src/clients/kpasswd/kpasswd.c
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
{
krb5_error_code ret;
krb5_context context;
- krb5_principal princ;
+ krb5_principal princ = NULL;
char *pname;
krb5_ccache ccache;
krb5_get_init_creds_opt *opts = NULL;
@@ -84,23 +84,27 @@ int main(int argc, char *argv[])
com_err(argv[0], ret, "parsing client name");
exit(1);
}
- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
- if (ret) {
+ } else {
+ ret = krb5_cc_default(context, &ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "opening default ccache");
exit(1);
}
- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
+ ret = krb5_cc_get_principal(context, ccache, &princ);
+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
com_err(argv[0], ret, "getting principal from ccache");
exit(1);
}
- if ((ret = krb5_cc_close(context, ccache))) {
+ ret = krb5_cc_close(context, ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "closing ccache");
exit(1);
}
- } else {
- get_name_from_passwd_file(argv[0], context, &princ);
+
+ if (princ == NULL)
+ get_name_from_passwd_file(argv[0], context, &princ);
}
if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M.orig
+++ src/config-files/krb5.conf.M
@@ -220,6 +220,10 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is false.
+.IP ticket_lifetime
+The value of this tag is the default lifetime for initial tickets. The
+default value for the tag is 1 day (1d).
+
.IP renew_lifetime
The value of this tag is the default renewable lifetime for initial
tickets. The default value for the tag is 0.
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1693,6 +1693,7 @@ cleanup:
if (sc->internal_name != GSS_C_NO_NAME &&
src_name != NULL) {
*src_name = sc->internal_name;
+ sc->internal_name = GSS_C_NO_NAME;
}
release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
(void) generic_gss_release_oid(&minor_stat,
&context->internal_mech);
+ (void) gss_release_name(&minor_stat, &context->internal_name);
+
if (context->optionStr != NULL) {
free(context->optionStr);
context->optionStr = NULL;
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c.orig
+++ src/lib/kadm5/srv/svr_principal.c
@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle,
if (! (mask & KADM5_MOD_TIME))
entry->mod_date = 0;
if (! (mask & KADM5_MOD_NAME)) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
+ krb5_free_principal(handle->context, entry->mod_name);
+ entry->mod_name = NULL;
}
}
@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle,
if (kdb.key_data[i].key_data_kvno > entry->kvno)
entry->kvno = kdb.key_data[i].key_data_kvno;
- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
- &entry->mkvno);
- if (ret)
- goto done;
+ if (mask & KADM5_MKVNO) {
+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+ &entry->mkvno);
+ if (ret)
+ goto done;
+ }
if (mask & KADM5_MAX_RLIFE)
entry->max_renewable_life = kdb.max_renewable_life;
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con
int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kpasswd, sockType, AF_INET);
+ locate_service_kpasswd, sockType, AF_UNSPEC);
if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist,
locate_service_kadmin, SOCK_STREAM,
- AF_INET);
+ AF_UNSPEC);
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the socktype. */
size_t i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
if (a->ai_family == AF_INET)
- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
+ sa2sin (a->ai_addr)->sin_port = kpasswd_port;
+ if (a->ai_family == AF_INET6)
+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
if (sockType != SOCK_STREAM)
a->ai_socktype = sockType;
}
@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_
/* some brain-dead OS's don't return useful information from
* the getsockname call. Namely, windows and solaris. */
- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+ if (local_addr.ss_family == AF_INET &&
+ ss2sin(&local_addr)->sin_addr.s_addr != 0) {
local_kaddr.addrtype = ADDRTYPE_INET;
local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
+ } else if (local_addr.ss_family == AF_INET6 &&
+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
+ local_kaddr.addrtype = ADDRTYPE_INET6;
+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
} else {
krb5_address **addrs;
@@ -290,9 +299,19 @@ change_set_password(krb5_context context
break;
}
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ if (remote_addr.ss_family == AF_INET) {
+ remote_kaddr.addrtype = ADDRTYPE_INET;
+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ } else if (remote_addr.ss_family == AF_INET6) {
+ remote_kaddr.addrtype = ADDRTYPE_INET6;
+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
+ } else {
+ break;
+ }
if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
callback_ctx.auth_context,
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c.orig
+++ src/lib/krb5/krb/gic_pwd.c
@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances

0
krb5-1.7-rpmlintrc → krb5-1.8-rpmlintrc
View File

3
krb5-1.8.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212
size 9958816

0
krb5-doc-1.7-rpmlintrc → krb5-doc-1.8-rpmlintrc
View File

11
krb5-doc.changes
View File

@ -1,3 +1,14 @@
-------------------------------------------------------------------
Tue Mar 23 12:38:29 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Document the ticket_lifetime libdefaults setting
-------------------------------------------------------------------
Thu Mar 4 11:45:22 CET 2010 - mc@suse.de
- update to version 1.8
-------------------------------------------------------------------
Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de

13
krb5-doc.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5-doc (Version 1.7)
# spec file for package krb5-doc (Version 1.8)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -20,18 +20,18 @@
Name: krb5-doc
BuildRequires: ghostscript-library latex2html texlive
Version: 1.7
Release: 7
%define srcRoot krb5-1.7
Version: 1.8
Release: 1
%define srcRoot krb5-1.8
Summary: MIT Kerberos5 Implementation--Documentation
License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
Group: Documentation/Other
Source: krb5-%{version}.tar.bz2
Source1: README.Source
Source: krb5-1.8.tar.bz2
Source3: %{name}-%{version}-rpmlintrc
Patch0: krb5-1.3.5-perlfix.dif
Patch1: krb5-1.6.3-texi2dvi-fix.dif
Patch2: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
@ -54,6 +54,7 @@ Authors:
%setup -n %{srcRoot}
%patch0
%patch1
%patch2
%build

38
krb5-mini.changes
View File

@ -1,11 +1,43 @@
-------------------------------------------------------------------
Thu Jan 7 11:45:14 CET 2010 - mc@suse.de
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
-------------------------------------------------------------------
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- update to version 1.8
* Increase code quality
* Move toward improved KDB interface
* Investigate and remedy repeatedly-reported performance
bottlenecks.
* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
principal referrals.
* Disable DES by default
* Account lockout for repeated login failures
* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules
* FAST enhancements
* Microsoft Services for User (S4U) compatibility
* Anonymous PKINIT
- fix KDC denial of service
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
- fix KDC denial of service in cross-realm referral processing
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
-------------------------------------------------------------------
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de

172
krb5-mini.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5-mini (Version 1.7)
# spec file for package krb5 (Version 1.8)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -18,7 +18,7 @@
# norootforbuild
%define build_mini 1
%define srcRoot krb5-1.7
%define srcRoot krb5-1.8
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -27,8 +27,8 @@ License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel
Version: 1.7
Release: 7
Version: 1.8
Release: 1
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
# bug437293
@ -42,25 +42,20 @@ Group: Productivity/Networking/Security
Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security
%endif
Source: krb5-1.7.tar.bz2
Source: krb5-1.8.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: baselibs.conf
Source2: baselibs.conf
Source5: krb5-%{version}-rpmlintrc
Source10: krb5-1.7-manpaths.txt
Patch2: krb5-1.6.1-compile_pie.dif
Patch20: krb5-1.6.3-kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
Patch30: krb5-1.7-manpaths.dif
Patch32: krb5-1.4.3-enospc.dif
Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch41: krb5-1.6.3-kpasswd_tcp.patch
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif
Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif
Patch50: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -117,46 +112,6 @@ and more.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-servers
License: MIT License (or similar)
Summary: MIT Kerberos5 server applications
Group: Productivity/Networking/Security
%description apps-servers
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible server applications like ftpd, klogind, telnetd, ...
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-clients
License: MIT License (or similar)
Summary: MIT Kerberos5 client applications
Group: Productivity/Networking/Security
%description apps-clients
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible client applications like ftp, rpc, rlogin, telnet, ...
Authors:
--------
The MIT Kerberos Team
@ -240,25 +195,15 @@ Authors:
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ]
then
echo "spx.c contains potential legal risks."
exit 1;
else
cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c
fi
%patch2
%patch20
%patch21
%patch22
%patch30 -p1
%patch32 -p1
%patch34 -p1
%patch41
%patch44 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch50
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
for n in ftpd.8 telnetd.8; do
mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n}
done
for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do
mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n}
done
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
# install xinetd files
mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d
install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin
install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin
install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet
install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@ -421,7 +354,9 @@ rm -rf %{buildroot}
%dir /usr/lib/mit/sbin
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
@ -455,17 +390,13 @@ rm -rf %{buildroot}
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_sysconfdir}/init.d/*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
@ -479,15 +410,10 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
@ -497,16 +423,10 @@ rm -rf %{buildroot}
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
#/usr/lib/mit/bin/*
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rc*
@ -517,12 +437,7 @@ rm -rf %{buildroot}
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
@ -549,8 +464,8 @@ rm -rf %{buildroot}
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
@ -582,6 +497,10 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/kadmind.8*
@ -591,6 +510,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%{_mandir}/man8/sserver.8*
%files client
%defattr(-,root,root)
@ -605,6 +525,11 @@ rm -rf %{buildroot}
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/ksu
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/uuclient
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
@ -618,53 +543,8 @@ rm -rf %{buildroot}
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%files apps-servers
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
%{_mandir}/man8/kftpd.8*
%{_mandir}/man8/klogind.8*
%{_mandir}/man8/kshd.8*
%{_mandir}/man8/ktelnetd.8*
%{_mandir}/man8/sserver.8*
%{_mandir}/man8/login.krb5.8*
%files apps-clients
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
# removed SUID bit, we will rely on su + pam_krb
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%files plugin-kdb-ldap
%defattr(-,root,root)

38
krb5.changes
View File

@ -1,11 +1,43 @@
-------------------------------------------------------------------
Thu Jan 7 11:45:14 CET 2010 - mc@suse.de
Tue Mar 23 12:33:26 CET 2010 - mc@suse.de
- add post 1.8 fixes
* Add IPv6 support to changepw.c
* fix two problems in kadm5_get_principal mask handling
* Ignore improperly encoded signedpath AD elements
* handle NT_SRV_INST in service principal referrals
* dereference options while checking
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT
* Fix the kpasswd fallback from the ccache principal name
* Document the ticket_lifetime libdefaults setting
* Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512
-------------------------------------------------------------------
Thu Mar 4 10:42:29 CET 2010 - mc@suse.de
- update to version 1.8
* Increase code quality
* Move toward improved KDB interface
* Investigate and remedy repeatedly-reported performance
bottlenecks.
* Reduce DNS dependence by implementing an interface that allows
client library to track whether a KDC supports service
principal referrals.
* Disable DES by default
* Account lockout for repeated login failures
* Bridge layer to allow Heimdal HDB modules to act as KDB
backend modules
* FAST enhancements
* Microsoft Services for User (S4U) compatibility
* Anonymous PKINIT
- fix KDC denial of service
CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781)
- fix KDC denial of service in cross-realm referral processing
CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347)
- fix integer underflow in AES and RC4 decryption
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351)
- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl
-------------------------------------------------------------------
Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de

172
krb5.spec
View File

@ -1,5 +1,5 @@
#
# spec file for package krb5 (Version 1.7)
# spec file for package krb5 (Version 1.8)
#
# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@ -18,7 +18,7 @@
# norootforbuild
%define build_mini 0
%define srcRoot krb5-1.7
%define srcRoot krb5-1.8
%define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/
%define krb5docdir %{_defaultdocdir}/krb5
@ -27,8 +27,8 @@ License: MIT License (or similar)
Url: http://web.mit.edu/kerberos/www/
BuildRequires: bison libcom_err-devel ncurses-devel
BuildRequires: keyutils keyutils-devel
Version: 1.7
Release: 7
Version: 1.8
Release: 1
%if ! 0%{?build_mini}
BuildRequires: libopenssl-devel openldap2-devel
# bug437293
@ -42,25 +42,20 @@ Group: Productivity/Networking/Security
Summary: MIT Kerberos5 Implementation--Libraries
Group: Productivity/Networking/Security
%endif
Source: krb5-1.7.tar.bz2
Source: krb5-1.8.tar.bz2
Source1: vendor-files.tar.bz2
Source2: README.Source
Source3: spx.c
Source4: baselibs.conf
Source2: baselibs.conf
Source5: krb5-%{version}-rpmlintrc
Source10: krb5-1.7-manpaths.txt
Patch2: krb5-1.6.1-compile_pie.dif
Patch20: krb5-1.6.3-kprop-use-mkstemp.dif
Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif
Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif
Patch30: krb5-1.7-manpaths.dif
Patch32: krb5-1.4.3-enospc.dif
Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif
Patch41: krb5-1.6.3-kpasswd_tcp.patch
Patch44: krb5-1.6.3-ktutil-manpage.dif
Patch46: krb5-1.6.3-fix-ipv6-query.dif
Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif
Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif
Patch50: krb5-1.8-POST.dif
BuildRoot: %{_tmppath}/%{name}-%{version}-build
PreReq: mktemp, grep, /bin/touch, coreutils
PreReq: %insserv_prereq %fillup_prereq
@ -117,46 +112,6 @@ and more.
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-servers
License: MIT License (or similar)
Summary: MIT Kerberos5 server applications
Group: Productivity/Networking/Security
%description apps-servers
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible server applications like ftpd, klogind, telnetd, ...
Authors:
--------
The MIT Kerberos Team
Sam Hartman <hartmans@mit.edu>
Ken Raeburn <raeburn@mit.edu>
Tom Yu <tlyu@mit.edu>
%package apps-clients
License: MIT License (or similar)
Summary: MIT Kerberos5 client applications
Group: Productivity/Networking/Security
%description apps-clients
Kerberos V5 is a trusted-third-party network authentication system,
which can improve your network's security by eliminating the insecure
practice of cleartext passwords. This package includes some kerberos
compatible client applications like ftp, rpc, rlogin, telnet, ...
Authors:
--------
The MIT Kerberos Team
@ -240,25 +195,15 @@ Authors:
%prep
%setup -q -n %{srcRoot}
%setup -a 1 -T -D -n %{srcRoot}
if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ]
then
echo "spx.c contains potential legal risks."
exit 1;
else
cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c
fi
%patch2
%patch20
%patch21
%patch22
%patch30 -p1
%patch32 -p1
%patch34 -p1
%patch41
%patch44 -p1
%patch46 -p1
%patch47 -p1
%patch48 -p1
%patch50
# Rename the man pages so that they'll get generated correctly.
pushd src
cat %{SOURCE10} | while read manpage ; do
@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c
install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh
install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc
install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind
for n in ftpd.8 telnetd.8; do
mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n}
done
for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do
mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n}
done
# all libs must have permissions 0755
for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"`
do
@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d
install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind
install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc
install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd
# install xinetd files
mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d
install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin
install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin
install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet
install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell
# install logrotate files
mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d
install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server
@ -421,7 +354,9 @@ rm -rf %{buildroot}
%dir /usr/lib/mit/sbin
%{_libdir}/libgssrpc.so
%{_libdir}/libk5crypto.so
%{_libdir}/libkadm5clnt_mit.so
%{_libdir}/libkadm5clnt.so
%{_libdir}/libkadm5srv_mit.so
%{_libdir}/libkadm5srv.so
%{_libdir}/libkdb5.so
%{_libdir}/libkrb5.so
@ -455,17 +390,13 @@ rm -rf %{buildroot}
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl
%attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k*
%{_sysconfdir}/init.d/*
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
@ -479,15 +410,10 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/kvno
/usr/lib/mit/bin/kinit
@ -497,16 +423,10 @@ rm -rf %{buildroot}
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
#/usr/lib/mit/bin/*
/usr/bin/kinit
/usr/bin/klist
/usr/bin/rc*
@ -517,12 +437,7 @@ rm -rf %{buildroot}
%{_mandir}/man1/kpasswd.1*
%{_mandir}/man1/klist.1*
%{_mandir}/man1/kerberos.1*
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/kadmin.1*
%{_mandir}/man1/ktutil.1*
@ -549,8 +464,8 @@ rm -rf %{buildroot}
%{_libdir}/libgssapi_krb5.*
%{_libdir}/libgssrpc.so.*
%{_libdir}/libk5crypto.so.*
%{_libdir}/libkadm5clnt.so.*
%{_libdir}/libkadm5srv.so.*
%{_libdir}/libkadm5clnt_mit.so.*
%{_libdir}/libkadm5srv_mit.so.*
%{_libdir}/libkdb5.so.*
%{_libdir}/libkrb5.so.*
%{_libdir}/libkrb5support.so.*
@ -582,6 +497,10 @@ rm -rf %{buildroot}
/usr/lib/mit/sbin/kprop
/usr/lib/mit/sbin/kdb5_util
/usr/lib/mit/sbin/krb5kdc
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/uuserver
%{_libdir}/krb5/plugins/kdb/db2.so
%{_mandir}/man5/kdc.conf.5*
%{_mandir}/man8/kadmind.8*
@ -591,6 +510,7 @@ rm -rf %{buildroot}
%{_mandir}/man8/kproplog.8.gz
%{_mandir}/man8/kdb5_util.8*
%{_mandir}/man8/krb5kdc.8*
%{_mandir}/man8/sserver.8*
%files client
%defattr(-,root,root)
@ -605,6 +525,11 @@ rm -rf %{buildroot}
/usr/lib/mit/bin/kadmin
/usr/lib/mit/bin/ktutil
/usr/lib/mit/bin/k5srvutil
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/ksu
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/sim_client
/usr/lib/mit/bin/uuclient
/usr/bin/kinit
/usr/bin/klist
%{_mandir}/man1/kvno.1*
@ -618,53 +543,8 @@ rm -rf %{buildroot}
%{_mandir}/man1/k5srvutil.1*
%{_mandir}/man5/krb5.conf.5*
%{_mandir}/man5/.k5login.5*
%files apps-servers
%defattr(-,root,root)
%config(noreplace) %{_sysconfdir}/xinetd.d/klogin
%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin
%config(noreplace) %{_sysconfdir}/xinetd.d/kshell
%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet
%dir /usr/lib/mit
%dir /usr/lib/mit/sbin
/usr/lib/mit/sbin/ftpd
/usr/lib/mit/sbin/klogind
/usr/lib/mit/sbin/kshd
/usr/lib/mit/sbin/telnetd
/usr/lib/mit/sbin/uuserver
/usr/lib/mit/sbin/sserver
/usr/lib/mit/sbin/gss-server
/usr/lib/mit/sbin/sim_server
/usr/lib/mit/sbin/login.krb5
%{_mandir}/man8/kftpd.8*
%{_mandir}/man8/klogind.8*
%{_mandir}/man8/kshd.8*
%{_mandir}/man8/ktelnetd.8*
%{_mandir}/man8/sserver.8*
%{_mandir}/man8/login.krb5.8*
%files apps-clients
%defattr(-,root,root)
%dir /usr/lib/mit
%dir /usr/lib/mit/bin
/usr/lib/mit/bin/ftp
/usr/lib/mit/bin/rlogin
# removed SUID bit, we will rely on su + pam_krb
%attr(0755,root,root) /usr/lib/mit/bin/ksu
/usr/lib/mit/bin/rcp
/usr/lib/mit/bin/rsh
/usr/lib/mit/bin/telnet
/usr/lib/mit/bin/uuclient
/usr/lib/mit/bin/sclient
/usr/lib/mit/bin/gss-client
/usr/lib/mit/bin/sim_client
%{_mandir}/man1/kftp.1*
%{_mandir}/man1/krlogin.1*
%{_mandir}/man1/krsh.1*
%{_mandir}/man1/ktelnet.1*
%{_mandir}/man1/ksu.1*
%{_mandir}/man1/krcp.1*
%{_mandir}/man1/sclient.1*
%{_mandir}/man1/ksu.1.gz
%{_mandir}/man1/sclient.1.gz
%files plugin-kdb-ldap
%defattr(-,root,root)

0
ready
View File

50
spx.c
View File

@ -1,50 +0,0 @@
/*-
* Copyright (c) 1992, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* based on @(#)spx.c 8.1 (Berkeley) 6/4/93 */
#include "misc-proto.h"
#ifdef notdef
prkey(msg, key)
char *msg;
unsigned char *key;
{
register int i;
printf("%s:", msg);
for (i = 0; i < 8; i++)
printf(" %3d", key[i]);
printf("\r\n");
}
#endif

4
vendor-files.tar.bz2
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:cc8af64eb451283d9ed22d52848a923e65a50b5c80442fe3165f238efdd34571
size 182153
oid sha256:afd7fcef667fa671ba023b747d95c62dd83b03c4bb93c7132e1ae78fe837c35e
size 182067