diff --git a/README.Source b/README.Source deleted file mode 100644 index 9bf6da7..0000000 --- a/README.Source +++ /dev/null @@ -1,9 +0,0 @@ -Because of potential legal risk we have removed the -file "src/appl/telnet/libtelnet/spx.c" from the -source tarball. - -If you want to see the original sources you can download -them from - - http://web.mit.edu/kerberos/www/ . - diff --git a/krb5-1.4.3-enospc.dif b/krb5-1.4.3-enospc.dif index 69c6328..0a0d9ce 100644 --- a/krb5-1.4.3-enospc.dif +++ b/krb5-1.4.3-enospc.dif @@ -1,24 +1,24 @@ If the error message is going to be ambiguous, try to give the user some clue by returning the last error reported by the OS. -Index: krb5-1.7/src/clients/kinit/kinit.c +Index: krb5-1.8-alpha1/src/clients/kinit/kinit.c =================================================================== ---- krb5-1.7.orig/src/clients/kinit/kinit.c -+++ krb5-1.7/src/clients/kinit/kinit.c -@@ -670,8 +670,14 @@ k5_kinit(opts, k5) - code = krb5_cc_initialize(k5->ctx, k5->cc, - opts->canonicalize ? my_creds.client : k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } +--- krb5-1.8-alpha1.orig/src/clients/kinit/kinit.c ++++ krb5-1.8-alpha1/src/clients/kinit/kinit.c +@@ -712,8 +712,14 @@ k5_kinit(opts, k5) + code = krb5_cc_initialize(k5->ctx, k5->cc, opts->canonicalize ? + my_creds.client : k5->me); + if (code) { +- com_err(progname, code, "when initializing cache %s", +- opts->k5_cache_name?opts->k5_cache_name:""); ++ if ((code == KRB5_CC_IO) && (errno != 0)) { ++ com_err(progname, code, "when initializing cache %s: %s", ++ opts->k5_cache_name?opts->k5_cache_name:"", ++ strerror(errno)); ++ } else { ++ com_err(progname, code, "when initializing cache %s", ++ opts->k5_cache_name?opts->k5_cache_name:""); ++ } + goto cleanup; + } diff --git a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif b/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif deleted file mode 100644 index ad5f8c9..0000000 --- a/krb5-1.5.1-fix-ftp-var-used-uninitialized.dif +++ /dev/null @@ -1,13 +0,0 @@ -Index: src/appl/gssftp/ftp/ftp.c -=================================================================== ---- src/appl/gssftp/ftp/ftp.c.orig -+++ src/appl/gssftp/ftp/ftp.c -@@ -1912,7 +1912,7 @@ int do_auth() - - #ifdef GSSAPI - if (command("AUTH %s", "GSSAPI") == CONTINUE) { -- OM_uint32 maj_stat, min_stat, dummy_stat; -+ OM_uint32 maj_stat = GSS_S_FAILURE , min_stat, dummy_stat; - gss_name_t target_name; - gss_buffer_desc send_tok, recv_tok, *token_ptr; - char stbuf[FTP_BUFSIZ]; diff --git a/krb5-1.5.1-fix-var-used-before-value-set.dif b/krb5-1.5.1-fix-var-used-before-value-set.dif deleted file mode 100644 index cfa5930..0000000 --- a/krb5-1.5.1-fix-var-used-before-value-set.dif +++ /dev/null @@ -1,10 +0,0 @@ ---- src/appl/telnet/telnetd/utility.c -+++ src/appl/telnet/telnetd/utility.c 2006/11/06 10:34:09 -@@ -127,6 +127,7 @@ - } - tv.tv_sec = 1; - tv.tv_usec = 0; -+ FD_ZERO(&fds); - FD_SET(net, &fds); - - while (select(net + 1, &fds, NULL, NULL, &tv) == 1) diff --git a/krb5-1.6.1-compile_pie.dif b/krb5-1.6.1-compile_pie.dif index 8a0d66f..08e14fc 100644 --- a/krb5-1.6.1-compile_pie.dif +++ b/krb5-1.6.1-compile_pie.dif @@ -15,7 +15,7 @@ Index: src/config/shlib.conf =================================================================== --- src/config/shlib.conf.orig +++ src/config/shlib.conf -@@ -420,7 +420,8 @@ mips-*-netbsd*) +@@ -419,7 +419,8 @@ mips-*-netbsd*) PROFFLAGS=-pg RPATH_FLAG='-Wl,-rpath -Wl,' PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' diff --git a/krb5-1.6.3-fix-ipv6-query.dif b/krb5-1.6.3-fix-ipv6-query.dif index 4220f2e..4ba81b8 100644 --- a/krb5-1.6.3-fix-ipv6-query.dif +++ b/krb5-1.6.3-fix-ipv6-query.dif @@ -1,9 +1,9 @@ -Index: trunk/src/lib/krb5/os/hostaddr.c +Index: krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c =================================================================== ---- trunk.orig/src/lib/krb5/os/hostaddr.c -+++ trunk/src/lib/krb5/os/hostaddr.c -@@ -43,7 +43,7 @@ krb5_os_hostaddr(krb5_context context, c - return KRB5_ERR_BAD_HOSTNAME; +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hostaddr.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/hostaddr.c +@@ -44,7 +44,7 @@ krb5_os_hostaddr(krb5_context context, c + return KRB5_ERR_BAD_HOSTNAME; memset (&hints, 0, sizeof (hints)); - hints.ai_flags = AI_NUMERICHOST; @@ -11,11 +11,11 @@ Index: trunk/src/lib/krb5/os/hostaddr.c /* We don't care what kind at this point, really, but without this, we can get back multiple sockaddrs per address, for SOCK_DGRAM, SOCK_STREAM, and SOCK_RAW. I haven't checked if -Index: trunk/src/lib/krb5/os/hst_realm.c +Index: krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c =================================================================== ---- trunk.orig/src/lib/krb5/os/hst_realm.c -+++ trunk/src/lib/krb5/os/hst_realm.c -@@ -171,7 +171,7 @@ krb5int_get_fq_hostname (char *buf, size +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/hst_realm.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/hst_realm.c +@@ -103,7 +103,7 @@ get_fq_hostname(char *buf, size_t bufsiz int err; memset (&hints, 0, sizeof (hints)); @@ -23,12 +23,12 @@ Index: trunk/src/lib/krb5/os/hst_realm.c + hints.ai_flags = AI_CANONNAME | AI_ADDRCONFIG; err = getaddrinfo (name, 0, &hints, &ai); if (err) - return krb5int_translate_gai_error (err); -Index: trunk/src/lib/krb5/os/locate_kdc.c + return krb5int_translate_gai_error (err); +Index: krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c =================================================================== ---- trunk.orig/src/lib/krb5/os/locate_kdc.c -+++ trunk/src/lib/krb5/os/locate_kdc.c -@@ -254,8 +254,9 @@ krb5int_add_host_to_list (struct addrlis +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/locate_kdc.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/locate_kdc.c +@@ -259,8 +259,9 @@ krb5int_add_host_to_list (struct addrlis memset(&hint, 0, sizeof(hint)); hint.ai_family = family; hint.ai_socktype = socktype; @@ -37,18 +37,18 @@ Index: trunk/src/lib/krb5/os/locate_kdc.c - hint.ai_flags = AI_NUMERICSERV; + hint.ai_flags |= AI_NUMERICSERV; #endif - if (snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)) >= sizeof(portbuf)) - /* XXX */ -Index: trunk/src/lib/krb5/os/sn2princ.c + result = snprintf(portbuf, sizeof(portbuf), "%d", ntohs(port)); + if (SNPRINTF_OVERFLOW(result, sizeof(portbuf))) +Index: krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c =================================================================== ---- trunk.orig/src/lib/krb5/os/sn2princ.c -+++ trunk/src/lib/krb5/os/sn2princ.c -@@ -107,7 +107,7 @@ krb5_sname_to_principal(krb5_context con +--- krb5-1.8-alpha1.orig/src/lib/krb5/os/sn2princ.c ++++ krb5-1.8-alpha1/src/lib/krb5/os/sn2princ.c +@@ -108,7 +108,7 @@ krb5_sname_to_principal(krb5_context con - memset(&hints, 0, sizeof(hints)); - hints.ai_family = AF_INET; -- hints.ai_flags = AI_CANONNAME; -+ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; - try_getaddrinfo_again: - err = getaddrinfo(hostname, 0, &hints, &ai); - if (err) { + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_INET; +- hints.ai_flags = AI_CANONNAME; ++ hints.ai_flags = AI_CANONNAME|AI_ADDRCONFIG; + try_getaddrinfo_again: + err = getaddrinfo(hostname, 0, &hints, &ai); + if (err) { diff --git a/krb5-1.6.3-kpasswd_tcp.patch b/krb5-1.6.3-kpasswd_tcp.patch index 757b3f6..360149f 100644 --- a/krb5-1.6.3-kpasswd_tcp.patch +++ b/krb5-1.6.3-kpasswd_tcp.patch @@ -5,31 +5,30 @@ Index: src/lib/krb5/os/changepw.c =================================================================== --- src/lib/krb5/os/changepw.c.orig +++ src/lib/krb5/os/changepw.c -@@ -261,11 +261,22 @@ krb5_change_set_password(krb5_context co - NULL, - NULL - ))) { -- -- /* -- * Here we may want to switch to TCP on some errors. -- * right? -- */ -+ /* if we're not using a stream socket, and it's an error which -+ * might reasonably be specific to a datagram "connection", try -+ * again with a stream socket */ -+ if (!useTcp) { -+ switch (code) { -+ case KRB5_KDC_UNREACH: -+ case KRB5_REALM_CANT_RESOLVE: -+ case KRB5KRB_ERR_RESPONSE_TOO_BIG: -+ /* should we do this for more result codes than these? */ -+ krb5int_free_addrlist (&al); -+ useTcp = 1; -+ continue; -+ default: -+ break; -+ } -+ } - break; - } +@@ -271,10 +271,22 @@ change_set_password(krb5_context context + NULL + ))) { + +- /* +- * Here we may want to switch to TCP on some errors. +- * right? +- */ ++ /* if we're not using a stream socket, and it's an error which ++ * might reasonably be specific to a datagram "connection", try ++ * again with a stream socket */ ++ if (!useTcp) { ++ switch (code) { ++ case KRB5_KDC_UNREACH: ++ case KRB5_REALM_CANT_RESOLVE: ++ case KRB5KRB_ERR_RESPONSE_TOO_BIG: ++ /* should we do this for more result codes than these? */ ++ krb5int_free_addrlist (&al); ++ useTcp = 1; ++ continue; ++ default: ++ break; ++ } ++ } + break; + } diff --git a/krb5-1.6.3-kprop-use-mkstemp.dif b/krb5-1.6.3-kprop-use-mkstemp.dif index 2277883..9ea2577 100644 --- a/krb5-1.6.3-kprop-use-mkstemp.dif +++ b/krb5-1.6.3-kprop-use-mkstemp.dif @@ -2,18 +2,18 @@ Index: src/slave/kprop.c =================================================================== --- src/slave/kprop.c.orig +++ src/slave/kprop.c -@@ -215,6 +215,7 @@ void get_tickets(context) - krb5_error_code retval; - static char tkstring[] = "/tmp/kproptktXXXXXX"; - krb5_keytab keytab = NULL; -+ int ret = 0; +@@ -206,6 +206,7 @@ void get_tickets(context) + krb5_error_code retval; + static char tkstring[] = "/tmp/kproptktXXXXXX"; + krb5_keytab keytab = NULL; ++ int ret = 0; - /* - * Figure out what tickets we'll be using to send stuff -@@ -240,7 +241,15 @@ void get_tickets(context) - /* - * Initialize cache file which we're going to be using - */ + /* + * Figure out what tickets we'll be using to send stuff +@@ -231,7 +232,15 @@ void get_tickets(context) + /* + * Initialize cache file which we're going to be using + */ +#ifdef HAVE_MKSTEMP + ret = mkstemp(tkstring); + if (ret == -1) { @@ -21,8 +21,8 @@ Index: src/slave/kprop.c + exit(1); + } else close(ret); +#else - (void) mktemp(tkstring); + (void) mktemp(tkstring); +#endif - snprintf(buf, sizeof(buf), "FILE:%s", tkstring); + snprintf(buf, sizeof(buf), "FILE:%s", tkstring); - retval = krb5_cc_resolve(context, buf, &ccache); + retval = krb5_cc_resolve(context, buf, &ccache); diff --git a/krb5-1.7-MITKRB5-SA-2009-003.dif b/krb5-1.7-MITKRB5-SA-2009-003.dif deleted file mode 100644 index c3d0d1a..0000000 --- a/krb5-1.7-MITKRB5-SA-2009-003.dif +++ /dev/null @@ -1,27 +0,0 @@ -Index: krb5-1.7/src/kdc/do_tgs_req.c -=================================================================== ---- krb5-1.7.orig/src/kdc/do_tgs_req.c -+++ krb5-1.7/src/kdc/do_tgs_req.c -@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request - free(temp_buf); - if (retval) { - /* no match found */ -- kdc_err(kdc_context, retval, 0); -+ kdc_err(kdc_context, retval, "unable to find realm of host"); - goto cleanup; - } - if (realms == 0) { -Index: krb5-1.7/src/lib/kadm5/logger.c -=================================================================== ---- krb5-1.7.orig/src/lib/kadm5/logger.c -+++ krb5-1.7/src/lib/kadm5/logger.c -@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, lo - char *cp; - char *syslogp; - -+ if (whoami == NULL || format == NULL) -+ return; -+ - /* Make the header */ - snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); - /* diff --git a/krb5-1.7-MITKRB5-SA-2009-004.dif b/krb5-1.7-MITKRB5-SA-2009-004.dif deleted file mode 100644 index 67c5738..0000000 --- a/krb5-1.7-MITKRB5-SA-2009-004.dif +++ /dev/null @@ -1,377 +0,0 @@ -Index: krb5-1.7/src/lib/crypto/Makefile.in -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/Makefile.in -+++ krb5-1.7/src/lib/crypto/Makefile.in -@@ -18,6 +18,7 @@ EXTRADEPSRCS=\ - $(srcdir)/t_nfold.c \ - $(srcdir)/t_cf2.c \ - $(srcdir)/t_encrypt.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/t_prf.c \ - $(srcdir)/t_prng.c \ - $(srcdir)/t_hmac.c \ -@@ -206,7 +207,7 @@ libcrypto.lib: - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ -@@ -216,6 +217,7 @@ check-unix:: t_nfold t_encrypt t_prf t_p - diff t_prf.output $(srcdir)/t_prf.expected - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 -@@ -249,10 +251,14 @@ t_cts$(EXEEXT): t_cts.$(OBJEXT) $(CRYPTO - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_cf2 t_cf2.o t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -Index: krb5-1.7/src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/arcfour/arcfour.c -+++ krb5-1.7/src/lib/crypto/arcfour/arcfour.c -@@ -199,6 +199,12 @@ krb5_arcfour_decrypt(const struct krb5_e - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: krb5-1.7/src/lib/crypto/enc_provider/aes.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/enc_provider/aes.c -+++ krb5-1.7/src/lib/crypto/enc_provider/aes.c -@@ -105,9 +105,11 @@ krb5int_aes_encrypt(const krb5_keyblock - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -160,9 +162,9 @@ krb5int_aes_decrypt(const krb5_keyblock - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -@@ -208,6 +210,7 @@ krb5int_aes_encrypt_iov(const krb5_keybl - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; - int nblocks = 0, blockno; - size_t input_length, i; -+ struct iov_block_state input_pos, output_pos; - - if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) - abort(); -@@ -224,17 +227,19 @@ krb5int_aes_encrypt_iov(const krb5_keybl - input_length += iov->data.length; - } - -- nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); - -- { -+ nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ enc(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; -- -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; -@@ -288,6 +293,7 @@ krb5int_aes_decrypt_iov(const krb5_keybl - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno, i; - size_t input_length; -+ struct iov_block_state input_pos, output_pos; - - CHECK_SIZES; - -@@ -305,18 +311,19 @@ krb5int_aes_decrypt_iov(const krb5_keybl - if (ENCRYPT_IOV(iov)) - input_length += iov->data.length; - } -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); - - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ dec(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; -- -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; -Index: krb5-1.7/src/lib/crypto/old/old_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/old/old_decrypt.c -+++ krb5-1.7/src/lib/crypto/old/old_decrypt.c -@@ -45,8 +45,10 @@ krb5_old_decrypt(const struct krb5_enc_p - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - -Index: krb5-1.7/src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/raw/raw_decrypt.c -+++ krb5-1.7/src/lib/crypto/raw/raw_decrypt.c -@@ -34,5 +34,7 @@ krb5_raw_decrypt(const struct krb5_enc_p - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -- return((*(enc->decrypt))(key, ivec, input, output)); -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; -+ return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: krb5-1.7/src/lib/crypto/t_short.c -=================================================================== ---- /dev/null -+++ krb5-1.7/src/lib/crypto/t_short.c -@@ -0,0 +1,128 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ krb5_crypto_iov iov[2]; -+ unsigned int dummy; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, -+ &dummy) == 0) { -+ /* Attempt an IOV stream decryption. */ -+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; -+ iov[0].data = input.ciphertext; -+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[1].data.data = NULL; -+ iov[1].data.length = 0; -+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); -+ check_decrypt_result(ret, len, min_len); -+ } -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -+ -Index: krb5-1.7/src/lib/crypto/deps -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/deps -+++ krb5-1.7/src/lib/crypto/deps -@@ -463,6 +463,16 @@ t_encrypt.so t_encrypt.po $(OUTPRE)t_enc - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -Index: krb5-1.7/src/lib/crypto/dk/dk_aead.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/dk/dk_aead.c -+++ krb5-1.7/src/lib/crypto/dk/dk_aead.c -@@ -248,7 +248,7 @@ krb5int_dk_decrypt_iov(const struct krb5 - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - -- if (ENCRYPT_DATA_IOV(iov)) -+ if (ENCRYPT_IOV(iov)) - cipherlen += iov->data.length; - } - -Index: krb5-1.7/src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- krb5-1.7.orig/src/lib/crypto/dk/dk_decrypt.c -+++ krb5-1.7/src/lib/crypto/dk/dk_decrypt.c -@@ -89,6 +89,12 @@ krb5_dk_decrypt_maybe_trunc_hmac(const s - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) diff --git a/krb5-1.7-manpaths.dif b/krb5-1.7-manpaths.dif index ab8e30e..a9c9e95 100644 --- a/krb5-1.7-manpaths.dif +++ b/krb5-1.7-manpaths.dif @@ -1,43 +1,9 @@ -Index: krb5-1.7/src/appl/bsd/klogind.M + +Index: krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M =================================================================== ---- krb5-1.7.orig/src/appl/bsd/klogind.M -+++ krb5-1.7/src/appl/bsd/klogind.M -@@ -27,7 +27,7 @@ server is invoked by \fIinetd(8)\fP when - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root @mansbindir@/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - -Index: krb5-1.7/src/appl/bsd/kshd.M -=================================================================== ---- krb5-1.7.orig/src/appl/bsd/kshd.M -+++ krb5-1.7/src/appl/bsd/kshd.M -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B @mansbindir@/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ server is invoked by \fIinetd(8c)\fP whe - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root @mansbindir@/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - -Index: krb5-1.7/src/appl/sample/sserver/sserver.M -=================================================================== ---- krb5-1.7.orig/src/appl/sample/sserver/sserver.M -+++ krb5-1.7/src/appl/sample/sserver/sserver.M +--- krb5-1.8-alpha1.orig/src/appl/sample/sserver/sserver.M ++++ krb5-1.8-alpha1/src/appl/sample/sserver/sserver.M @@ -59,7 +59,7 @@ option allows for a different keytab tha using a line in /etc/inetd.conf that looks like this: @@ -47,23 +13,10 @@ Index: krb5-1.7/src/appl/sample/sserver/sserver.M .PP Since \fBsample\fP is normally not a port defined in /etc/services, you will usually have to add a line to /etc/services which looks like this: -Index: krb5-1.7/src/appl/telnet/telnetd/telnetd.8 +Index: krb5-1.8-alpha1/src/config-files/kdc.conf.M =================================================================== ---- krb5-1.7.orig/src/appl/telnet/telnetd/telnetd.8 -+++ krb5-1.7/src/appl/telnet/telnetd/telnetd.8 -@@ -37,7 +37,7 @@ telnetd \- - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B @manlibexecdir@/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-e\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] -Index: krb5-1.7/src/config-files/kdc.conf.M -=================================================================== ---- krb5-1.7.orig/src/config-files/kdc.conf.M -+++ krb5-1.7/src/config-files/kdc.conf.M +--- krb5-1.8-alpha1.orig/src/config-files/kdc.conf.M ++++ krb5-1.8-alpha1/src/config-files/kdc.conf.M @@ -82,14 +82,14 @@ This .B string specifies the location of the access control list (acl) file that @@ -81,7 +34,7 @@ Index: krb5-1.7/src/config-files/kdc.conf.M .IP database_name This -@@ -257,7 +257,7 @@ tickets should be checked against the tr +@@ -254,7 +254,7 @@ tickets should be checked against the tr realm names and the [capaths] section of its krb5.conf file .SH FILES @@ -90,12 +43,12 @@ Index: krb5-1.7/src/config-files/kdc.conf.M .SH SEE ALSO krb5.conf(5), krb5kdc(8) -Index: krb5-1.7/src/configure.in +Index: krb5-1.8-alpha1/src/configure.in =================================================================== ---- krb5-1.7.orig/src/configure.in -+++ krb5-1.7/src/configure.in -@@ -1041,6 +1041,69 @@ dnl - AC_CONFIG_SUBDIRS(appl/libpty appl/bsd appl/gssftp appl/telnet) +--- krb5-1.8-alpha1.orig/src/configure.in ++++ krb5-1.8-alpha1/src/configure.in +@@ -1052,6 +1052,58 @@ if test "$ac_cv_lib_socket" = "yes" -a " + fi AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) + @@ -118,18 +71,8 @@ Index: krb5-1.7/src/configure.in +AC_SUBST(manlocalstatedir) +AC_SUBST(manlibexecdir) +AC_OUTPUT([ -+ appl/bsd/klogind.M -+ appl/bsd/kshd.M -+ appl/bsd/login.M -+ appl/bsd/rcp.M -+ appl/bsd/rlogin.M -+ appl/bsd/rsh.M -+ appl/gssftp/ftpd/ftpd.M -+ appl/gssftp/ftp/ftp.M + appl/sample/sclient/sclient.M + appl/sample/sserver/sserver.M -+ appl/telnet/telnetd/telnetd.8 -+ appl/telnet/telnet/telnet.1 + clients/kcpytkt/kcpytkt.M + clients/kdeltkt/kdeltkt.M + clients/kdestroy/kdestroy.M @@ -147,7 +90,6 @@ Index: krb5-1.7/src/configure.in + kadmin/cli/kadmin.M + kadmin/dbutil/kdb5_util.M + kadmin/ktutil/ktutil.M -+ kadmin/passwd/kpasswd.M + kadmin/server/kadmind.M + kdc/krb5kdc.M + krb5-config.M @@ -164,11 +106,11 @@ Index: krb5-1.7/src/configure.in V5_AC_OUTPUT_MAKEFILE(. util util/support util/profile util/send-pr -Index: krb5-1.7/src/kadmin/cli/kadmin.M +Index: krb5-1.8-alpha1/src/kadmin/cli/kadmin.M =================================================================== ---- krb5-1.7.orig/src/kadmin/cli/kadmin.M -+++ krb5-1.7/src/kadmin/cli/kadmin.M -@@ -850,9 +850,9 @@ option is specified, less verbose status +--- krb5-1.8-alpha1.orig/src/kadmin/cli/kadmin.M ++++ krb5-1.8-alpha1/src/kadmin/cli/kadmin.M +@@ -869,9 +869,9 @@ option is specified, less verbose status .RS .TP EXAMPLE: @@ -180,7 +122,7 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M kadmin: .RE .fi -@@ -894,7 +894,7 @@ passwords. +@@ -913,7 +913,7 @@ passwords. .SH HISTORY The .B kadmin @@ -189,10 +131,10 @@ Index: krb5-1.7/src/kadmin/cli/kadmin.M OpenVision Kerberos administration program. .SH SEE ALSO .IR kerberos (1), -Index: krb5-1.7/src/slave/kprop.M +Index: krb5-1.8-alpha1/src/slave/kprop.M =================================================================== ---- krb5-1.7.orig/src/slave/kprop.M -+++ krb5-1.7/src/slave/kprop.M +--- krb5-1.8-alpha1.orig/src/slave/kprop.M ++++ krb5-1.8-alpha1/src/slave/kprop.M @@ -39,7 +39,7 @@ Kerberos server to a slave Kerberos serv This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel. The dump file must be created @@ -211,10 +153,10 @@ Index: krb5-1.7/src/slave/kprop.M .TP \fB\-P\fP \fIport\fP specifies the port to use to contact the -Index: krb5-1.7/src/slave/kpropd.M +Index: krb5-1.8-alpha1/src/slave/kpropd.M =================================================================== ---- krb5-1.7.orig/src/slave/kpropd.M -+++ krb5-1.7/src/slave/kpropd.M +--- krb5-1.8-alpha1.orig/src/slave/kpropd.M ++++ krb5-1.8-alpha1/src/slave/kpropd.M @@ -74,7 +74,7 @@ Normally, kpropd is invoked out of This is done by adding a line to the inetd.conf file which looks like this: @@ -222,7 +164,7 @@ Index: krb5-1.7/src/slave/kpropd.M -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd +kprop stream tcp nowait root @mansbindir@/kpropd kpropd - However, kpropd can also run as a standalone deamon, if the + However, kpropd can also run as a standalone daemon, if the .B \-S @@ -111,13 +111,13 @@ is used. \fB\-f\fP \fIfile\fP diff --git a/krb5-1.7-manpaths.txt b/krb5-1.7-manpaths.txt index a85dcae..d6df93e 100644 --- a/krb5-1.7-manpaths.txt +++ b/krb5-1.7-manpaths.txt @@ -1,15 +1,5 @@ -appl/bsd/klogind.M -appl/bsd/kshd.M -appl/bsd/login.M -appl/bsd/rcp.M -appl/bsd/rlogin.M -appl/bsd/rsh.M -appl/gssftp/ftpd/ftpd.M -appl/gssftp/ftp/ftp.M appl/sample/sclient/sclient.M appl/sample/sserver/sserver.M -appl/telnet/telnetd/telnetd.8 -appl/telnet/telnet/telnet.1 clients/kcpytkt/kcpytkt.M clients/kdeltkt/kdeltkt.M clients/kdestroy/kdestroy.M @@ -27,7 +17,6 @@ kadmin/cli/kadmin.local.M kadmin/cli/kadmin.M kadmin/dbutil/kdb5_util.M kadmin/ktutil/ktutil.M -kadmin/passwd/kpasswd.M kadmin/server/kadmind.M kdc/krb5kdc.M krb5-config.M diff --git a/krb5-1.7.tar.bz2 b/krb5-1.7.tar.bz2 deleted file mode 100644 index 9efcda8..0000000 --- a/krb5-1.7.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:2043f38c46a9721cfab28f0fdf876af17d542cab458a87d0324783189e9570cd -size 10407001 diff --git a/krb5-1.8-POST.dif b/krb5-1.8-POST.dif new file mode 100644 index 0000000..0db3bf7 --- /dev/null +++ b/krb5-1.8-POST.dif @@ -0,0 +1,315 @@ +Index: doc/admin.texinfo +=================================================================== +--- doc/admin.texinfo.orig ++++ doc/admin.texinfo +@@ -516,13 +516,6 @@ DCE do not support the default cache as + Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on + DCE 1.1 systems. The default value is @value{DefaultCcacheType}. + +-@ignore +-@itemx tkt_lifetime +-The default lifetime of a ticket. The default is +-@value{DefaultTktLifetime}. This is currently not supported by the +-code. +-@end ignore +- + @itemx dns_lookup_kdc + Indicate whether DNS SRV records should be used to locate the KDCs and + other servers for a realm, if they are not listed in the information for +@@ -583,6 +576,11 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is @value{DefaultVerifyApReqNofail}. + ++@itemx ticket_lifetime ++The value of this tag is the default lifetime for ++initial tickets. The default value for the tag is ++@value{DefaultTktLifetime}. ++ + @itemx renew_lifetime + The value of this tag is the default renewable lifetime for + initial tickets. The default value for the tag is +Index: src/include/krb5/krb5.hin +=================================================================== +--- src/include/krb5/krb5.hin.orig ++++ src/include/krb5/krb5.hin +@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex + #define KRB5_AUTHDATA_SESAME 65 + #define KRB5_AUTHDATA_WIN2K_PAC 128 + #define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */ +-#define KRB5_AUTHDATA_SIGNTICKET 142 ++#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */ + #define KRB5_AUTHDATA_FX_ARMOR 71 + /* password change constants */ + +@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data { + krb5_octet *contents; + } krb5_pa_data; + ++/* typed data */ ++/* ++ * The FAST error handling logic currently assumes that this structure and ++ * krb5_pa_data * can be safely cast to each other if this structure changes, ++ * that code needs to be updated to copy. ++ */ ++typedef struct _krb5_typed_data { ++ krb5_magic magic; ++ krb5_int32 type; ++ unsigned int length; ++ krb5_octet *data; ++} krb5_typed_data; ++ + typedef struct _krb5_kdc_req { + krb5_magic magic; + krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */ +Index: src/include/k5-int-pkinit.h +=================================================================== +--- src/include/k5-int-pkinit.h.orig ++++ src/include/k5-int-pkinit.h +@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca { + } u; + } krb5_trusted_ca; + +-/* typed data */ +-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other +- * if this structure changes, that code needs to be updated to copy. +- */ +-typedef struct _krb5_typed_data { +- krb5_magic magic; +- krb5_int32 type; +- unsigned int length; +- krb5_octet *data; +-} krb5_typed_data; +- + /* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */ + typedef struct _krb5_pa_pk_as_req_draft9 { + krb5_octet_data signedAuthPack; +Index: src/kdc/kdc_authdata.c +=================================================================== +--- src/kdc/kdc_authdata.c.orig ++++ src/kdc/kdc_authdata.c +@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex + enc_sp.length = sp_authdata[0]->length; + + code = decode_krb5_ad_signedpath(&enc_sp, &sp); +- if (code != 0) ++ if (code != 0) { ++ /* Treat an invalid signedpath authdata element as a missing one, since ++ * we believe MS is using the same number for something else. */ ++ code = 0; + goto cleanup; ++ } + + code = verify_ad_signedpath_checksum(context, + krbtgt, +Index: src/kdc/do_tgs_req.c +=================================================================== +--- src/kdc/do_tgs_req.c.orig ++++ src/kdc/do_tgs_req.c +@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request + strlcpy(comp1_str,comp1->data,comp1->length+1); + + if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST || ++ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST || + (krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN && + kdc_active_realm->realm_host_based_services != NULL && + (krb5_match_config_pattern(kdc_active_realm->realm_host_based_services, +Index: src/clients/kpasswd/kpasswd.c +=================================================================== +--- src/clients/kpasswd/kpasswd.c.orig ++++ src/clients/kpasswd/kpasswd.c +@@ -47,7 +47,7 @@ int main(int argc, char *argv[]) + { + krb5_error_code ret; + krb5_context context; +- krb5_principal princ; ++ krb5_principal princ = NULL; + char *pname; + krb5_ccache ccache; + krb5_get_init_creds_opt *opts = NULL; +@@ -84,23 +84,27 @@ int main(int argc, char *argv[]) + com_err(argv[0], ret, "parsing client name"); + exit(1); + } +- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) { +- if (ret) { ++ } else { ++ ret = krb5_cc_default(context, &ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "opening default ccache"); + exit(1); + } + +- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) { ++ ret = krb5_cc_get_principal(context, ccache, &princ); ++ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + com_err(argv[0], ret, "getting principal from ccache"); + exit(1); + } + +- if ((ret = krb5_cc_close(context, ccache))) { ++ ret = krb5_cc_close(context, ccache); ++ if (ret != 0) { + com_err(argv[0], ret, "closing ccache"); + exit(1); + } +- } else { +- get_name_from_passwd_file(argv[0], context, &princ); ++ ++ if (princ == NULL) ++ get_name_from_passwd_file(argv[0], context, &princ); + } + + if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { +Index: src/config-files/krb5.conf.M +=================================================================== +--- src/config-files/krb5.conf.M.orig ++++ src/config-files/krb5.conf.M +@@ -220,6 +220,10 @@ If this flag is set, then an attempt to + fail if the client machine does not have a keytab. The default for the + flag is false. + ++.IP ticket_lifetime ++The value of this tag is the default lifetime for initial tickets. The ++default value for the tag is 1 day (1d). ++ + .IP renew_lifetime + The value of this tag is the default renewable lifetime for initial + tickets. The default value for the tag is 0. +Index: src/lib/gssapi/spnego/spnego_mech.c +=================================================================== +--- src/lib/gssapi/spnego/spnego_mech.c.orig ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -1693,6 +1693,7 @@ cleanup: + if (sc->internal_name != GSS_C_NO_NAME && + src_name != NULL) { + *src_name = sc->internal_name; ++ sc->internal_name = GSS_C_NO_NAME; + } + release_spnego_ctx(&sc); + } else if (ret != GSS_S_CONTINUE_NEEDED) { +@@ -2578,6 +2579,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t * + (void) generic_gss_release_oid(&minor_stat, + &context->internal_mech); + ++ (void) gss_release_name(&minor_stat, &context->internal_name); ++ + if (context->optionStr != NULL) { + free(context->optionStr); + context->optionStr = NULL; +Index: src/lib/kadm5/srv/svr_principal.c +=================================================================== +--- src/lib/kadm5/srv/svr_principal.c.orig ++++ src/lib/kadm5/srv/svr_principal.c +@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle, + if (! (mask & KADM5_MOD_TIME)) + entry->mod_date = 0; + if (! (mask & KADM5_MOD_NAME)) { +- krb5_free_principal(handle->context, entry->principal); +- entry->principal = NULL; ++ krb5_free_principal(handle->context, entry->mod_name); ++ entry->mod_name = NULL; + } + } + +@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle, + if (kdb.key_data[i].key_data_kvno > entry->kvno) + entry->kvno = kdb.key_data[i].key_data_kvno; + +- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, +- &entry->mkvno); +- if (ret) +- goto done; ++ if (mask & KADM5_MKVNO) { ++ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist, ++ &entry->mkvno); ++ if (ret) ++ goto done; ++ } + + if (mask & KADM5_MAX_RLIFE) + entry->max_renewable_life = kdb.max_renewable_life; +Index: src/lib/krb5/os/changepw.c +=================================================================== +--- src/lib/krb5/os/changepw.c.orig ++++ src/lib/krb5/os/changepw.c +@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con + int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM); + + code = krb5int_locate_server (context, realm, addrlist, +- locate_service_kpasswd, sockType, AF_INET); ++ locate_service_kpasswd, sockType, AF_UNSPEC); + + if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { + code = krb5int_locate_server (context, realm, addrlist, + locate_service_kadmin, SOCK_STREAM, +- AF_INET); ++ AF_UNSPEC); + if (!code) { + /* Success with admin_server but now we need to change the + port number to use DEFAULT_KPASSWD_PORT and the socktype. */ + size_t i; + for (i=0; inaddrs; i++) { + struct addrinfo *a = addrlist->addrs[i].ai; ++ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT); + if (a->ai_family == AF_INET) +- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT); ++ sa2sin (a->ai_addr)->sin_port = kpasswd_port; ++ if (a->ai_family == AF_INET6) ++ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port; + if (sockType != SOCK_STREAM) + a->ai_socktype = sockType; + } +@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_ + /* some brain-dead OS's don't return useful information from + * the getsockname call. Namely, windows and solaris. */ + +- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) { ++ if (local_addr.ss_family == AF_INET && ++ ss2sin(&local_addr)->sin_addr.s_addr != 0) { + local_kaddr.addrtype = ADDRTYPE_INET; + local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr); + local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr; ++ } else if (local_addr.ss_family == AF_INET6 && ++ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) { ++ local_kaddr.addrtype = ADDRTYPE_INET6; ++ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr); ++ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr; + } else { + krb5_address **addrs; + +@@ -290,9 +299,19 @@ change_set_password(krb5_context context + break; + } + +- remote_kaddr.addrtype = ADDRTYPE_INET; +- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); +- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ if (remote_addr.ss_family == AF_INET) { ++ remote_kaddr.addrtype = ADDRTYPE_INET; ++ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr; ++ } else if (remote_addr.ss_family == AF_INET6) { ++ remote_kaddr.addrtype = ADDRTYPE_INET6; ++ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr); ++ remote_kaddr.contents = ++ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr; ++ } else { ++ break; ++ } + + if ((code = krb5_auth_con_setaddrs(callback_ctx.context, + callback_ctx.auth_context, +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c.orig ++++ src/lib/krb5/krb/gic_pwd.c +@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.7-rpmlintrc b/krb5-1.8-rpmlintrc similarity index 100% rename from krb5-1.7-rpmlintrc rename to krb5-1.8-rpmlintrc diff --git a/krb5-1.8.tar.bz2 b/krb5-1.8.tar.bz2 new file mode 100644 index 0000000..771b1d5 --- /dev/null +++ b/krb5-1.8.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:10890ef19905e36e99d82cbe7caa6e8b0875b2a304f9a9e2d05137c87aff8212 +size 9958816 diff --git a/krb5-doc-1.7-rpmlintrc b/krb5-doc-1.8-rpmlintrc similarity index 100% rename from krb5-doc-1.7-rpmlintrc rename to krb5-doc-1.8-rpmlintrc diff --git a/krb5-doc.changes b/krb5-doc.changes index 7aeb8cb..7ac797d 100644 --- a/krb5-doc.changes +++ b/krb5-doc.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Tue Mar 23 12:38:29 CET 2010 - mc@suse.de + +- add post 1.8 fixes + * Document the ticket_lifetime libdefaults setting + +------------------------------------------------------------------- +Thu Mar 4 11:45:22 CET 2010 - mc@suse.de + +- update to version 1.8 + ------------------------------------------------------------------- Wed Jun 3 10:47:07 CEST 2009 - mc@suse.de diff --git a/krb5-doc.spec b/krb5-doc.spec index 79b2313..eea2ee1 100644 --- a/krb5-doc.spec +++ b/krb5-doc.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-doc (Version 1.7) +# spec file for package krb5-doc (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -20,18 +20,18 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive -Version: 1.7 -Release: 7 -%define srcRoot krb5-1.7 +Version: 1.8 +Release: 1 +%define srcRoot krb5-1.8 Summary: MIT Kerberos5 Implementation--Documentation License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ Group: Documentation/Other -Source: krb5-%{version}.tar.bz2 -Source1: README.Source +Source: krb5-1.8.tar.bz2 Source3: %{name}-%{version}-rpmlintrc Patch0: krb5-1.3.5-perlfix.dif Patch1: krb5-1.6.3-texi2dvi-fix.dif +Patch2: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch @@ -54,6 +54,7 @@ Authors: %setup -n %{srcRoot} %patch0 %patch1 +%patch2 %build diff --git a/krb5-mini.changes b/krb5-mini.changes index 9f3fded..bf323bc 100644 --- a/krb5-mini.changes +++ b/krb5-mini.changes @@ -1,11 +1,43 @@ ------------------------------------------------------------------- -Thu Jan 7 11:45:14 CET 2010 - mc@suse.de +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de diff --git a/krb5-mini.spec b/krb5-mini.spec index c305dc6..b4867f2 100644 --- a/krb5-mini.spec +++ b/krb5-mini.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5-mini (Version 1.7) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 1 -%define srcRoot krb5-1.7 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.7 -Release: 7 +Version: 1.8 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,25 +42,20 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.7.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: README.Source -Source3: spx.c -Source4: baselibs.conf +Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif -Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif -Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif -Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -117,46 +112,6 @@ and more. -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-servers -License: MIT License (or similar) -Summary: MIT Kerberos5 server applications -Group: Productivity/Networking/Security - -%description apps-servers -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible server applications like ftpd, klogind, telnetd, ... - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-clients -License: MIT License (or similar) -Summary: MIT Kerberos5 client applications -Group: Productivity/Networking/Security - -%description apps-clients -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible client applications like ftp, rpc, rlogin, telnet, ... - - - Authors: -------- The MIT Kerberos Team @@ -240,25 +195,15 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] -then - echo "spx.c contains potential legal risks." - exit 1; -else - cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c -fi %patch2 %patch20 -%patch21 -%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -p1 -%patch48 -p1 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind -for n in ftpd.8 telnetd.8; do - mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} -done -for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do - mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} -done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -# install xinetd files -mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d -install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin -install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin -install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet -install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -421,7 +354,9 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -455,17 +390,13 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -479,15 +410,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -497,16 +423,10 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -517,12 +437,7 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -549,8 +464,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -582,6 +497,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -591,6 +510,7 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* +%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -605,6 +525,11 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/ksu +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -618,53 +543,8 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* - -%files apps-servers -%defattr(-,root,root) -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd -/usr/lib/mit/sbin/uuserver -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 -%{_mandir}/man8/kftpd.8* -%{_mandir}/man8/klogind.8* -%{_mandir}/man8/kshd.8* -%{_mandir}/man8/ktelnetd.8* -%{_mandir}/man8/sserver.8* -%{_mandir}/man8/login.krb5.8* - -%files apps-clients -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -# removed SUID bit, we will rely on su + pam_krb -%attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/sim_client -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* -%{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* -%{_mandir}/man1/sclient.1* +%{_mandir}/man1/ksu.1.gz +%{_mandir}/man1/sclient.1.gz %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/krb5.changes b/krb5.changes index 9f3fded..bf323bc 100644 --- a/krb5.changes +++ b/krb5.changes @@ -1,11 +1,43 @@ ------------------------------------------------------------------- -Thu Jan 7 11:45:14 CET 2010 - mc@suse.de +Tue Mar 23 12:33:26 CET 2010 - mc@suse.de +- add post 1.8 fixes + * Add IPv6 support to changepw.c + * fix two problems in kadm5_get_principal mask handling + * Ignore improperly encoded signedpath AD elements + * handle NT_SRV_INST in service principal referrals + * dereference options while checking + KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT + * Fix the kpasswd fallback from the ccache principal name + * Document the ticket_lifetime libdefaults setting + * Change KRB5_AUTHDATA_SIGNTICKET from 142 to 512 + +------------------------------------------------------------------- +Thu Mar 4 10:42:29 CET 2010 - mc@suse.de + +- update to version 1.8 + * Increase code quality + * Move toward improved KDB interface + * Investigate and remedy repeatedly-reported performance + bottlenecks. + * Reduce DNS dependence by implementing an interface that allows + client library to track whether a KDC supports service + principal referrals. + * Disable DES by default + * Account lockout for repeated login failures + * Bridge layer to allow Heimdal HDB modules to act as KDB + backend modules + * FAST enhancements + * Microsoft Services for User (S4U) compatibility + * Anonymous PKINIT +- fix KDC denial of service + CVE-2010-0283, MITKRB5-SA-2010-001 (bnc#571781) - fix KDC denial of service in cross-realm referral processing CVE-2009-3295, MITKRB5-SA-2009-003 (bnc#561347) - fix integer underflow in AES and RC4 decryption - CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) - + CVE-2009-4212, MITKRB5-SA-2009-004 (bnc#561351) +- moved krb5 applications (telnet, ftp, rlogin, ...) to krb5-appl + ------------------------------------------------------------------- Mon Dec 14 16:32:01 CET 2009 - jengelh@medozas.de diff --git a/krb5.spec b/krb5.spec index 549b327..68c13d9 100644 --- a/krb5.spec +++ b/krb5.spec @@ -1,5 +1,5 @@ # -# spec file for package krb5 (Version 1.7) +# spec file for package krb5 (Version 1.8) # # Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. # @@ -18,7 +18,7 @@ # norootforbuild %define build_mini 0 -%define srcRoot krb5-1.7 +%define srcRoot krb5-1.8 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ %define krb5docdir %{_defaultdocdir}/krb5 @@ -27,8 +27,8 @@ License: MIT License (or similar) Url: http://web.mit.edu/kerberos/www/ BuildRequires: bison libcom_err-devel ncurses-devel BuildRequires: keyutils keyutils-devel -Version: 1.7 -Release: 7 +Version: 1.8 +Release: 1 %if ! 0%{?build_mini} BuildRequires: libopenssl-devel openldap2-devel # bug437293 @@ -42,25 +42,20 @@ Group: Productivity/Networking/Security Summary: MIT Kerberos5 Implementation--Libraries Group: Productivity/Networking/Security %endif -Source: krb5-1.7.tar.bz2 +Source: krb5-1.8.tar.bz2 Source1: vendor-files.tar.bz2 -Source2: README.Source -Source3: spx.c -Source4: baselibs.conf +Source2: baselibs.conf Source5: krb5-%{version}-rpmlintrc Source10: krb5-1.7-manpaths.txt Patch2: krb5-1.6.1-compile_pie.dif Patch20: krb5-1.6.3-kprop-use-mkstemp.dif -Patch21: krb5-1.5.1-fix-var-used-before-value-set.dif -Patch22: krb5-1.5.1-fix-ftp-var-used-uninitialized.dif Patch30: krb5-1.7-manpaths.dif Patch32: krb5-1.4.3-enospc.dif Patch34: krb5-1.6.3-gssapi_improve_errormessages.dif Patch41: krb5-1.6.3-kpasswd_tcp.patch Patch44: krb5-1.6.3-ktutil-manpage.dif Patch46: krb5-1.6.3-fix-ipv6-query.dif -Patch47: krb5-1.7-MITKRB5-SA-2009-003.dif -Patch48: krb5-1.7-MITKRB5-SA-2009-004.dif +Patch50: krb5-1.8-POST.dif BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: mktemp, grep, /bin/touch, coreutils PreReq: %insserv_prereq %fillup_prereq @@ -117,46 +112,6 @@ and more. -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-servers -License: MIT License (or similar) -Summary: MIT Kerberos5 server applications -Group: Productivity/Networking/Security - -%description apps-servers -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible server applications like ftpd, klogind, telnetd, ... - - - -Authors: --------- - The MIT Kerberos Team - Sam Hartman - Ken Raeburn - Tom Yu - -%package apps-clients -License: MIT License (or similar) -Summary: MIT Kerberos5 client applications -Group: Productivity/Networking/Security - -%description apps-clients -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of cleartext passwords. This package includes some kerberos -compatible client applications like ftp, rpc, rlogin, telnet, ... - - - Authors: -------- The MIT Kerberos Team @@ -240,25 +195,15 @@ Authors: %prep %setup -q -n %{srcRoot} %setup -a 1 -T -D -n %{srcRoot} -if [ -e %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c ] -then - echo "spx.c contains potential legal risks." - exit 1; -else - cp %{SOURCE3} %{_builddir}/%{srcRoot}/src/appl/telnet/libtelnet/spx.c -fi %patch2 %patch20 -%patch21 -%patch22 %patch30 -p1 %patch32 -p1 %patch34 -p1 %patch41 %patch44 -p1 %patch46 -p1 -%patch47 -p1 -%patch48 -p1 +%patch50 # Rename the man pages so that they'll get generated correctly. pushd src cat %{SOURCE10} | while read manpage ; do @@ -319,12 +264,6 @@ install -m 644 %{vendorFiles}/krb5.csh.profile %{buildroot}/etc/profile.d/krb5.c install -m 644 %{vendorFiles}/krb5.sh.profile %{buildroot}/etc/profile.d/krb5.sh install -m 644 %{vendorFiles}/SuSEFirewall.kdc %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kdc install -m 644 %{vendorFiles}/SuSEFirewall.kadmind %{buildroot}/etc/sysconfig/SuSEfirewall2.d/services/kadmind -for n in ftpd.8 telnetd.8; do - mv %{buildroot}%{_mandir}/man8/${n} %{buildroot}%{_mandir}/man8/k${n} -done -for n in ftp.1 rlogin.1 rcp.1 rsh.1 telnet.1; do - mv %{buildroot}%{_mandir}/man1/${n} %{buildroot}%{_mandir}/man1/k${n} -done # all libs must have permissions 0755 for lib in `find %{buildroot}/%{_libdir}/ -type f -name "*.so*"` do @@ -337,12 +276,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/init.d install -m 755 %{vendorFiles}/kadmind.init %{buildroot}%{_sysconfdir}/init.d/kadmind install -m 755 %{vendorFiles}/krb5kdc.init %{buildroot}%{_sysconfdir}/init.d/krb5kdc install -m 755 %{vendorFiles}/kpropd.init %{buildroot}%{_sysconfdir}/init.d/kpropd -# install xinetd files -mkdir -p %{buildroot}%{_sysconfdir}/xinetd.d -install -m 644 %{vendorFiles}/klogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/klogin -install -m 644 %{vendorFiles}/eklogin.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/eklogin -install -m 644 %{vendorFiles}/krb5-telnet.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/ktelnet -install -m 644 %{vendorFiles}/kshell.xinetd %{buildroot}%{_sysconfdir}/xinetd.d/kshell # install logrotate files mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d install -m 644 %{vendorFiles}/krb5-server.logrotate %{buildroot}%{_sysconfdir}/logrotate.d/krb5-server @@ -421,7 +354,9 @@ rm -rf %{buildroot} %dir /usr/lib/mit/sbin %{_libdir}/libgssrpc.so %{_libdir}/libk5crypto.so +%{_libdir}/libkadm5clnt_mit.so %{_libdir}/libkadm5clnt.so +%{_libdir}/libkadm5srv_mit.so %{_libdir}/libkadm5srv.so %{_libdir}/libkdb5.so %{_libdir}/libkrb5.so @@ -455,17 +390,13 @@ rm -rf %{buildroot} %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kdc.conf %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.acl %attr(0600,root,root) %config(noreplace) %{_localstatedir}/lib/kerberos/krb5kdc/kadm5.dict -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet %config %{_sysconfdir}/sysconfig/SuSEfirewall2.d/services/k* %{_sysconfdir}/init.d/* %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -479,15 +410,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd /usr/lib/mit/sbin/uuserver /usr/lib/mit/sbin/sserver /usr/lib/mit/sbin/gss-server /usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 /usr/lib/mit/bin/k5srvutil /usr/lib/mit/bin/kvno /usr/lib/mit/bin/kinit @@ -497,16 +423,10 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil %attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet /usr/lib/mit/bin/uuclient /usr/lib/mit/bin/sclient /usr/lib/mit/bin/gss-client /usr/lib/mit/bin/sim_client -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -#/usr/lib/mit/bin/* /usr/bin/kinit /usr/bin/klist /usr/bin/rc* @@ -517,12 +437,7 @@ rm -rf %{buildroot} %{_mandir}/man1/kpasswd.1* %{_mandir}/man1/klist.1* %{_mandir}/man1/kerberos.1* -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* %{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* %{_mandir}/man1/sclient.1* %{_mandir}/man1/kadmin.1* %{_mandir}/man1/ktutil.1* @@ -549,8 +464,8 @@ rm -rf %{buildroot} %{_libdir}/libgssapi_krb5.* %{_libdir}/libgssrpc.so.* %{_libdir}/libk5crypto.so.* -%{_libdir}/libkadm5clnt.so.* -%{_libdir}/libkadm5srv.so.* +%{_libdir}/libkadm5clnt_mit.so.* +%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkdb5.so.* %{_libdir}/libkrb5.so.* %{_libdir}/libkrb5support.so.* @@ -582,6 +497,10 @@ rm -rf %{buildroot} /usr/lib/mit/sbin/kprop /usr/lib/mit/sbin/kdb5_util /usr/lib/mit/sbin/krb5kdc +/usr/lib/mit/sbin/gss-server +/usr/lib/mit/sbin/sim_server +/usr/lib/mit/sbin/sserver +/usr/lib/mit/sbin/uuserver %{_libdir}/krb5/plugins/kdb/db2.so %{_mandir}/man5/kdc.conf.5* %{_mandir}/man8/kadmind.8* @@ -591,6 +510,7 @@ rm -rf %{buildroot} %{_mandir}/man8/kproplog.8.gz %{_mandir}/man8/kdb5_util.8* %{_mandir}/man8/krb5kdc.8* +%{_mandir}/man8/sserver.8* %files client %defattr(-,root,root) @@ -605,6 +525,11 @@ rm -rf %{buildroot} /usr/lib/mit/bin/kadmin /usr/lib/mit/bin/ktutil /usr/lib/mit/bin/k5srvutil +/usr/lib/mit/bin/gss-client +/usr/lib/mit/bin/ksu +/usr/lib/mit/bin/sclient +/usr/lib/mit/bin/sim_client +/usr/lib/mit/bin/uuclient /usr/bin/kinit /usr/bin/klist %{_mandir}/man1/kvno.1* @@ -618,53 +543,8 @@ rm -rf %{buildroot} %{_mandir}/man1/k5srvutil.1* %{_mandir}/man5/krb5.conf.5* %{_mandir}/man5/.k5login.5* - -%files apps-servers -%defattr(-,root,root) -%config(noreplace) %{_sysconfdir}/xinetd.d/klogin -%config(noreplace) %{_sysconfdir}/xinetd.d/eklogin -%config(noreplace) %{_sysconfdir}/xinetd.d/kshell -%config(noreplace) %{_sysconfdir}/xinetd.d/ktelnet -%dir /usr/lib/mit -%dir /usr/lib/mit/sbin -/usr/lib/mit/sbin/ftpd -/usr/lib/mit/sbin/klogind -/usr/lib/mit/sbin/kshd -/usr/lib/mit/sbin/telnetd -/usr/lib/mit/sbin/uuserver -/usr/lib/mit/sbin/sserver -/usr/lib/mit/sbin/gss-server -/usr/lib/mit/sbin/sim_server -/usr/lib/mit/sbin/login.krb5 -%{_mandir}/man8/kftpd.8* -%{_mandir}/man8/klogind.8* -%{_mandir}/man8/kshd.8* -%{_mandir}/man8/ktelnetd.8* -%{_mandir}/man8/sserver.8* -%{_mandir}/man8/login.krb5.8* - -%files apps-clients -%defattr(-,root,root) -%dir /usr/lib/mit -%dir /usr/lib/mit/bin -/usr/lib/mit/bin/ftp -/usr/lib/mit/bin/rlogin -# removed SUID bit, we will rely on su + pam_krb -%attr(0755,root,root) /usr/lib/mit/bin/ksu -/usr/lib/mit/bin/rcp -/usr/lib/mit/bin/rsh -/usr/lib/mit/bin/telnet -/usr/lib/mit/bin/uuclient -/usr/lib/mit/bin/sclient -/usr/lib/mit/bin/gss-client -/usr/lib/mit/bin/sim_client -%{_mandir}/man1/kftp.1* -%{_mandir}/man1/krlogin.1* -%{_mandir}/man1/krsh.1* -%{_mandir}/man1/ktelnet.1* -%{_mandir}/man1/ksu.1* -%{_mandir}/man1/krcp.1* -%{_mandir}/man1/sclient.1* +%{_mandir}/man1/ksu.1.gz +%{_mandir}/man1/sclient.1.gz %files plugin-kdb-ldap %defattr(-,root,root) diff --git a/ready b/ready deleted file mode 100644 index 473a0f4..0000000 diff --git a/spx.c b/spx.c deleted file mode 100644 index 256ccd5..0000000 --- a/spx.c +++ /dev/null @@ -1,50 +0,0 @@ -/*- - * Copyright (c) 1992, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)spx.c 8.1 (Berkeley) 6/4/93 */ - -#include "misc-proto.h" - -#ifdef notdef - -prkey(msg, key) - char *msg; - unsigned char *key; -{ - register int i; - printf("%s:", msg); - for (i = 0; i < 8; i++) - printf(" %3d", key[i]); - printf("\r\n"); -} -#endif diff --git a/vendor-files.tar.bz2 b/vendor-files.tar.bz2 index 125b194..9c9d317 100644 --- a/vendor-files.tar.bz2 +++ b/vendor-files.tar.bz2 @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:cc8af64eb451283d9ed22d52848a923e65a50b5c80442fe3165f238efdd34571 -size 182153 +oid sha256:afd7fcef667fa671ba023b747d95c62dd83b03c4bb93c7132e1ae78fe837c35e +size 182067