Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c @@ -303,6 +303,11 @@ int main(argc, argv) krb5_boolean realm_name_required = TRUE; krb5_boolean print_help_message = FALSE; + /* + * Ensure that "progname" is set before calling com_err. + */ + progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); + retval = krb5_init_context(&util_context); set_com_err_hook(extended_com_err_fn); if (retval) { @@ -311,8 +316,6 @@ int main(argc, argv) goto cleanup; } - progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); - cmd_argv = (char **) malloc(sizeof(char *)*argc); if (cmd_argv == NULL) { com_err(progname, ENOMEM, "while creating sub-command arguments"); @@ -344,7 +347,7 @@ int main(argc, argv) } } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { if (krb5_string_to_enctype(koptarg, &global_params.enctype)) - com_err(argv[0], 0, "%s is an invalid enctype", koptarg); + com_err(progname, 0, "%s is an invalid enctype", koptarg); else global_params.mask |= KADM5_CONFIG_ENCTYPE; } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { @@ -466,7 +469,7 @@ int main(argc, argv) retval = kadm5_get_config_params(util_context, 1, &global_params, &global_params); if (retval) { - com_err(argv[0], retval, "while retreiving configuration parameters"); + com_err(progname, retval, "while retreiving configuration parameters"); exit_status++; goto cleanup; } @@ -474,7 +477,7 @@ int main(argc, argv) } if ((retval = krb5_ldap_lib_init()) != 0) { - com_err(argv[0], retval, "while initializing error handling"); + com_err(progname, retval, "while initializing error handling"); exit_status++; goto cleanup; } @@ -482,7 +485,7 @@ int main(argc, argv) /* Initialize the ldap context */ ldap_context = calloc(sizeof(krb5_ldap_context), 1); if (ldap_context == NULL) { - com_err(argv[0], ENOMEM, "while initializing ldap handle"); + com_err(progname, ENOMEM, "while initializing ldap handle"); exit_status++; goto cleanup; } @@ -495,7 +498,7 @@ int main(argc, argv) if (passwd == NULL) { passwd = (char *)malloc(MAX_PASSWD_LEN); if (passwd == NULL) { - com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); + com_err(progname, ENOMEM, "while retrieving ldap configuration"); exit_status++; goto cleanup; } @@ -503,7 +506,7 @@ int main(argc, argv) if (prompt == NULL) { free(passwd); passwd = NULL; - com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); + com_err(progname, ENOMEM, "while retrieving ldap configuration"); exit_status++; goto cleanup; } @@ -514,7 +517,7 @@ int main(argc, argv) db_retval = krb5_read_password(util_context, prompt, NULL, passwd, &passwd_len); if ((db_retval) || (passwd_len == 0)) { - com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); + com_err(progname, ENOMEM, "while retrieving ldap configuration"); free(passwd); passwd = NULL; exit_status++; @@ -530,14 +533,14 @@ int main(argc, argv) ldap_context->server_info_list = (krb5_ldap_server_info **) calloc (2, sizeof (krb5_ldap_server_info *)) ; if (ldap_context->server_info_list == NULL) { - com_err(argv[0], ENOMEM, "while initializing server list"); + com_err(progname, ENOMEM, "while initializing server list"); exit_status++; goto cleanup; } ldap_context->server_info_list[0] = (krb5_ldap_server_info *) calloc (1, sizeof (krb5_ldap_server_info)); if (ldap_context->server_info_list[0] == NULL) { - com_err(argv[0], ENOMEM, "while initializing server list"); + com_err(progname, ENOMEM, "while initializing server list"); exit_status++; goto cleanup; } @@ -546,7 +549,7 @@ int main(argc, argv) ldap_context->server_info_list[0]->server_name = strdup(ldap_server); if (ldap_context->server_info_list[0]->server_name == NULL) { - com_err(argv[0], ENOMEM, "while initializing server list"); + com_err(progname, ENOMEM, "while initializing server list"); exit_status++; goto cleanup; } @@ -554,7 +557,7 @@ int main(argc, argv) if (bind_dn) { ldap_context->bind_dn = strdup(bind_dn); if (ldap_context->bind_dn == NULL) { - com_err(argv[0], ENOMEM, "while retrieving ldap configuration"); + com_err(progname, ENOMEM, "while retrieving ldap configuration"); exit_status++; goto cleanup; } @@ -566,7 +569,7 @@ int main(argc, argv) if (realm_name_required) { if ((global_params.enctype != ENCTYPE_UNKNOWN) && (!krb5_c_valid_enctype(global_params.enctype))) { - com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, "while setting up enctype %d", global_params.enctype); } } @@ -583,7 +586,7 @@ int main(argc, argv) db_retval = krb5_ldap_read_server_params(util_context, conf_section, KRB5_KDB_SRV_TYPE_OTHER); if (db_retval) { - com_err(argv[0], db_retval, "while reading ldap configuration"); + com_err(progname, db_retval, "while reading ldap configuration"); exit_status++; goto cleanup; } Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c @@ -67,7 +67,7 @@ static krb5_error_code init_ldap_realm ( retval = krb5_ldap_read_krbcontainer_params (util_context, &(ldap_context->krbcontainer)); if (retval != 0) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); goto cleanup; } } @@ -95,7 +95,7 @@ kdb5_ldap_create_policy(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_ldap_policy_params *policyparams = NULL; krb5_boolean print_usage = FALSE; @@ -322,7 +322,7 @@ kdb5_ldap_destroy_policy(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_ldap_policy_params *policyparams = NULL; krb5_boolean print_usage = FALSE; @@ -426,7 +426,7 @@ kdb5_ldap_modify_policy(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_ldap_policy_params *policyparams = NULL; krb5_boolean print_usage = FALSE; @@ -683,7 +683,7 @@ kdb5_ldap_view_policy(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_ldap_policy_params *policyparams = NULL; krb5_error_code retval = 0; krb5_boolean print_usage = FALSE; @@ -804,7 +804,7 @@ void kdb5_ldap_list_policies(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_boolean print_usage = FALSE; char *basedn = NULL; Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c @@ -152,7 +152,7 @@ static int get_ticket_policy(rparams,i,a krb5_boolean no_msg = FALSE; krb5_boolean print_usage = FALSE; - char *me = argv[0]; + char *me = progname; time(&now); if (!strcmp(argv[*i], "-maxtktlife")) { @@ -364,7 +364,7 @@ void kdb5_ldap_create(argc, argv) rparams->subtree = list; } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(argv[0], EINVAL, + com_err(progname, EINVAL, "for subtree while creating realm '%s'", global_params.realm); goto err_nomsg; @@ -376,7 +376,7 @@ void kdb5_ldap_create(argc, argv) goto err_usage; if(strncmp(argv[i], "", strlen(argv[i]))==0) { /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(argv[0], EINVAL, + com_err(progname, EINVAL, "for container reference while creating realm '%s'", global_params.realm); goto err_nomsg; @@ -401,7 +401,7 @@ void kdb5_ldap_create(argc, argv) rparams->search_scope = atoi(argv[i]); if ((rparams->search_scope != 1) && (rparams->search_scope != 2)) { - com_err(argv[0], EINVAL, + com_err(progname, EINVAL, "invalid search scope while creating realm '%s'", global_params.realm); goto err_nomsg; @@ -498,7 +498,7 @@ void kdb5_ldap_create(argc, argv) retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, pw_str, &pw_size); if (retval) { - com_err(argv[0], retval, "while reading master key from keyboard"); + com_err(progname, retval, "while reading master key from keyboard"); goto err_nomsg; } mkey_password = pw_str; @@ -516,7 +516,7 @@ void kdb5_ldap_create(argc, argv) rparams->realm_name = strdup(global_params.realm); if (rparams->realm_name == NULL) { retval = ENOMEM; - com_err(argv[0], ENOMEM, "while creating realm '%s'", + com_err(progname, ENOMEM, "while creating realm '%s'", global_params.realm); goto err_nomsg; } @@ -588,11 +588,11 @@ void kdb5_ldap_create(argc, argv) retval = krb5_ldap_read_krbcontainer_params(util_context, &(ldap_context->krbcontainer)); if (retval) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); goto cleanup; } } else if (retval) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); goto cleanup; } @@ -608,7 +608,7 @@ void kdb5_ldap_create(argc, argv) global_params.realm, &(ldap_context->lrparams), &mask))) { - com_err(argv[0], retval, "while reading information of realm '%s'", + com_err(progname, retval, "while reading information of realm '%s'", global_params.realm); goto err_nomsg; } @@ -623,7 +623,7 @@ void kdb5_ldap_create(argc, argv) global_params.mkey_name, global_params.realm, 0, &master_princ))) { - com_err(argv[0], retval, "while setting up master key name"); + com_err(progname, retval, "while setting up master key name"); goto err_nomsg; } @@ -635,7 +635,7 @@ void kdb5_ldap_create(argc, argv) pwd.length = strlen(mkey_password); retval = krb5_principal2salt(util_context, master_princ, &master_salt); if (retval) { - com_err(argv[0], retval, "while calculating master key salt"); + com_err(progname, retval, "while calculating master key salt"); goto err_nomsg; } @@ -646,7 +646,7 @@ void kdb5_ldap_create(argc, argv) free(master_salt.data); if (retval) { - com_err(argv[0], retval, "while transforming master key from password"); + com_err(progname, retval, "while transforming master key from password"); goto err_nomsg; } @@ -689,28 +689,28 @@ void kdb5_ldap_create(argc, argv) /* Create 'K/M' ... */ rblock.flags |= KRB5_KDB_DISALLOW_ALL_TIX; if ((retval = kdb_ldap_create_principal(util_context, master_princ, MASTER_KEY, &rblock))) { - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } /* Create 'krbtgt' ... */ rblock.flags = 0; /* reset the flags */ if ((retval = kdb_ldap_create_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } /* Create 'kadmin/admin' ... */ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_ADMIN_SERVICE, global_params.realm); if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } rblock.max_life = ADMIN_LIFETIME; rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } krb5_free_principal(util_context, p); @@ -718,7 +718,7 @@ void kdb5_ldap_create(argc, argv) /* Create 'kadmin/changepw' ... */ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_CHANGEPW_SERVICE, global_params.realm); if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } rblock.max_life = CHANGEPW_LIFETIME; @@ -726,7 +726,7 @@ void kdb5_ldap_create(argc, argv) KRB5_KDB_PWCHANGE_SERVICE; if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } krb5_free_principal(util_context, p); @@ -734,26 +734,26 @@ void kdb5_ldap_create(argc, argv) /* Create 'kadmin/history' ... */ snprintf(princ_name, sizeof(princ_name), "%s@%s", KADM5_HIST_PRINCIPAL, global_params.realm); if ((retval = krb5_parse_name(util_context, princ_name, &p))) { - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } rblock.max_life = global_params.max_life; rblock.flags = 0; if ((retval = kdb_ldap_create_principal(util_context, p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } krb5_free_principal(util_context, p); /* Create 'kadmin/' ... */ if ((retval=krb5_sname_to_principal(util_context, NULL, "kadmin", KRB5_NT_SRV_HST, &p))) { - com_err(argv[0], retval, "krb5_sname_to_principal, while adding entries to the database"); + com_err(progname, retval, "krb5_sname_to_principal, while adding entries to the database"); goto err_nomsg; } if ((retval=krb5_copy_principal(util_context, p, &temp_p))) { - com_err(argv[0], retval, "krb5_copy_principal, while adding entries to the database"); + com_err(progname, retval, "krb5_copy_principal, while adding entries to the database"); goto err_nomsg; } @@ -762,7 +762,7 @@ void kdb5_ldap_create(argc, argv) temp_p->realm.length = strlen(util_context->default_realm); temp_p->realm.data = strdup(util_context->default_realm); if (temp_p->realm.data == NULL) { - com_err(argv[0], ENOMEM, "while adding entries to the database"); + com_err(progname, ENOMEM, "while adding entries to the database"); goto err_nomsg; } @@ -770,7 +770,7 @@ void kdb5_ldap_create(argc, argv) rblock.flags = KRB5_KDB_DISALLOW_TGT_BASED; if ((retval = kdb_ldap_create_principal(util_context, temp_p, TGT_KEY, &rblock))) { krb5_free_principal(util_context, p); - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); goto err_nomsg; } krb5_free_principal(util_context, temp_p); @@ -798,7 +798,7 @@ void kdb5_ldap_create(argc, argv) LDAP_KDC_SERVICE, rparams->kdcservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -814,7 +814,7 @@ void kdb5_ldap_create(argc, argv) LDAP_ADMIN_SERVICE, rparams->adminservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -830,7 +830,7 @@ void kdb5_ldap_create(argc, argv) LDAP_PASSWD_SERVICE, rparams->passwdservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -850,7 +850,7 @@ void kdb5_ldap_create(argc, argv) master_princ, &master_keyblock, NULL); if (retval) { - com_err(argv[0], errno, "while storing key"); + com_err(progname, errno, "while storing key"); printf("Warning: couldn't stash master key.\n"); } } @@ -879,7 +879,7 @@ cleanup: if (retval) { if (!no_msg) { - com_err(argv[0], retval, "while creating realm '%s'", + com_err(progname, retval, "while creating realm '%s'", global_params.realm); } exit_status++; @@ -932,7 +932,7 @@ void kdb5_ldap_modify(argc, argv) if ((retval = krb5_ldap_read_krbcontainer_params(util_context, &(ldap_context->krbcontainer)))) { - com_err(argv[0], retval, "while reading Kerberos container information"); + com_err(progname, retval, "while reading Kerberos container information"); goto err_nomsg; } @@ -986,7 +986,7 @@ void kdb5_ldap_modify(argc, argv) rparams->subtree = slist; } else if(strncmp(argv[i], "", strlen(argv[i]))==0) { /* dont allow subtree value to be set at the root(NULL, "") of the tree */ - com_err(argv[0], EINVAL, + com_err(progname, EINVAL, "for subtree while modifying realm '%s'", global_params.realm); goto err_nomsg; @@ -998,7 +998,7 @@ void kdb5_ldap_modify(argc, argv) goto err_usage; if(strncmp(argv[i], "", strlen(argv[i]))==0) { /* dont allow containerref value to be set at the root(NULL, "") of the tree */ - com_err(argv[0], EINVAL, + com_err(progname, EINVAL, "for container reference while modifying realm '%s'", global_params.realm); goto err_nomsg; @@ -1024,7 +1024,7 @@ void kdb5_ldap_modify(argc, argv) if ((rparams->search_scope != 1) && (rparams->search_scope != 2)) { retval = EINVAL; - com_err(argv[0], retval, + com_err(progname, retval, "specified for search scope while modifying information of realm '%s'", global_params.realm); goto err_nomsg; @@ -1529,7 +1529,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_KDC_SERVICE, oldkdcdns[i], rparams->realm_name, oldsubtrees, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights '%s'", + com_err(progname, retval, "while assigning rights '%s'", rparams->realm_name); goto err_nomsg; } @@ -1546,7 +1546,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_KDC_SERVICE, newkdcdns[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -1608,7 +1608,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_ADMIN_SERVICE, oldadmindns[i], rparams->realm_name, oldsubtrees, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights '%s'", + com_err(progname, retval, "while assigning rights '%s'", rparams->realm_name); goto err_nomsg; } @@ -1626,7 +1626,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_ADMIN_SERVICE, newadmindns[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -1688,7 +1688,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_PASSWD_SERVICE, oldpwddns[i], rparams->realm_name, oldsubtrees, rightsmask))) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights '%s'", + com_err(progname, retval, "while assigning rights '%s'", rparams->realm_name); goto err_nomsg; } @@ -1705,7 +1705,7 @@ void kdb5_ldap_modify(argc, argv) LDAP_PASSWD_SERVICE, newpwddns[i], rparams->realm_name, rparams->subtree, rightsmask))) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); goto err_nomsg; } @@ -1777,7 +1777,7 @@ cleanup: if (retval) { if (!no_msg) - com_err(argv[0], retval, "while modifying information of realm '%s'", + com_err(progname, retval, "while modifying information of realm '%s'", global_params.realm); exit_status++; } @@ -1804,7 +1804,7 @@ void kdb5_ldap_view(argc, argv) ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { retval = EINVAL; - com_err(argv[0], retval, "while initializing database"); + com_err(progname, retval, "while initializing database"); exit_status++; return; } @@ -1812,14 +1812,14 @@ void kdb5_ldap_view(argc, argv) /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, &(ldap_context->krbcontainer))) != 0) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); exit_status++; return; } if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, &rparams, &mask)) || (!rparams)) { - com_err(argv[0], retval, "while reading information of realm '%s'", + com_err(progname, retval, "while reading information of realm '%s'", global_params.realm); exit_status++; return; @@ -2009,7 +2009,7 @@ void kdb5_ldap_list(argc, argv) /* Read the kerberos container information */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, &(ldap_context->krbcontainer))) != 0) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); exit_status++; return; } @@ -2018,7 +2018,7 @@ void kdb5_ldap_list(argc, argv) if (retval != 0) { krb5_ldap_free_krbcontainer_params(ldap_context->krbcontainer); ldap_context->krbcontainer = NULL; - com_err (argv[0], retval, "while listing realms"); + com_err (progname, retval, "while listing realms"); exit_status++; return; } @@ -2434,7 +2434,7 @@ kdb5_ldap_destroy(argc, argv) dal_handle = (kdb5_dal_handle *)util_context->db_context; ldap_context = (krb5_ldap_context *) dal_handle->db_context; if (!(ldap_context)) { - com_err(argv[0], EINVAL, "while initializing database"); + com_err(progname, EINVAL, "while initializing database"); exit_status++; return; } @@ -2442,7 +2442,7 @@ kdb5_ldap_destroy(argc, argv) /* Read the kerberos container from the LDAP Server */ if ((retval = krb5_ldap_read_krbcontainer_params(util_context, &(ldap_context->krbcontainer))) != 0) { - com_err(argv[0], retval, "while reading kerberos container information"); + com_err(progname, retval, "while reading kerberos container information"); exit_status++; return; } @@ -2450,7 +2450,7 @@ kdb5_ldap_destroy(argc, argv) /* Read the Realm information from the LDAP Server */ if ((retval = krb5_ldap_read_realm_params(util_context, global_params.realm, &(ldap_context->lrparams), &mask)) != 0) { - com_err(argv[0], retval, "while reading realm information"); + com_err(progname, retval, "while reading realm information"); exit_status++; return; } @@ -2472,7 +2472,7 @@ kdb5_ldap_destroy(argc, argv) LDAP_KDC_SERVICE, rparams->kdcservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); return; } @@ -2487,7 +2487,7 @@ kdb5_ldap_destroy(argc, argv) LDAP_ADMIN_SERVICE, rparams->adminservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); return; } @@ -2502,7 +2502,7 @@ kdb5_ldap_destroy(argc, argv) LDAP_PASSWD_SERVICE, rparams->passwdservers[i], rparams->realm_name, rparams->subtree, rightsmask)) != 0) { printf("failed\n"); - com_err(argv[0], retval, "while assigning rights to '%s'", + com_err(progname, retval, "while assigning rights to '%s'", rparams->realm_name); return; } @@ -2514,7 +2514,7 @@ kdb5_ldap_destroy(argc, argv) /* Delete the realm container and all the associated principals */ retval = krb5_ldap_delete_realm(util_context, global_params.realm); if (retval) { - com_err(argv[0], retval, "deleting database of '%s'", global_params.realm); + com_err(progname, retval, "deleting database of '%s'", global_params.realm); exit_status++; return; } Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.h @@ -58,6 +58,8 @@ #define DESTROY_POLICY 14 #define LIST_POLICY 15 +extern char *progname; + extern int exit_status; extern krb5_context util_context; Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -198,7 +198,7 @@ void kdb5_ldap_create_service(argc, argv int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_ldap_service_params *srvparams = NULL; krb5_boolean print_usage = FALSE; @@ -496,7 +496,7 @@ void kdb5_ldap_modify_service(argc, argv int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; krb5_ldap_service_params *srvparams = NULL; krb5_boolean print_usage = FALSE; @@ -569,7 +569,7 @@ void kdb5_ldap_modify_service(argc, argv retval = krb5_ldap_read_service(util_context, servicedn, &srvparams, &in_mask); if (retval) { - com_err(argv[0], retval, "while reading information of service '%s'", + com_err(me, retval, "while reading information of service '%s'", servicedn); goto err_nomsg; } @@ -1061,7 +1061,7 @@ rem_service_entry_from_file(argc, argv, char *service_object; { int st = EINVAL; - char *me = argv[0]; + char *me = progname; char *tmp_file = NULL; int tmpfd = -1; FILE *pfile = NULL; @@ -1175,7 +1175,7 @@ kdb5_ldap_destroy_service(argc, argv) if (argv[i+1]) { stashfilename=strdup(argv[i+1]); if (stashfilename == NULL) { - com_err(argv[0], ENOMEM, "while destroying service"); + com_err(progname, ENOMEM, "while destroying service"); exit_status++; goto cleanup; } @@ -1188,7 +1188,7 @@ kdb5_ldap_destroy_service(argc, argv) if ((argv[i]) && (servicedn == NULL)) { servicedn=strdup(argv[i]); if (servicedn == NULL) { - com_err(argv[0], ENOMEM, "while destroying service"); + com_err(progname, ENOMEM, "while destroying service"); exit_status++; goto cleanup; } @@ -1219,7 +1219,7 @@ kdb5_ldap_destroy_service(argc, argv) if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { - com_err(argv[0], retval, "while destroying service '%s'",servicedn); + com_err(progname, retval, "while destroying service '%s'",servicedn); exit_status++; goto cleanup; } @@ -1227,7 +1227,7 @@ kdb5_ldap_destroy_service(argc, argv) retval = krb5_ldap_delete_service(util_context, lserparams, servicedn); if (retval) { - com_err(argv[0], retval, "while destroying service '%s'", servicedn); + com_err(progname, retval, "while destroying service '%s'", servicedn); exit_status++; goto cleanup; } @@ -1235,7 +1235,7 @@ kdb5_ldap_destroy_service(argc, argv) if (stashfilename == NULL) { stashfilename = strdup(DEF_SERVICE_PASSWD_FILE); if (stashfilename == NULL) { - com_err(argv[0], ENOMEM, "while destroying service"); + com_err(progname, ENOMEM, "while destroying service"); exit_status++; goto cleanup; } @@ -1295,13 +1295,13 @@ void kdb5_ldap_view_service(argc, argv) servicedn=strdup(argv[1]); if (servicedn == NULL) { - com_err(argv[0], ENOMEM, "while viewing service"); + com_err(progname, ENOMEM, "while viewing service"); exit_status++; goto cleanup; } if ((retval = krb5_ldap_read_service(util_context, servicedn, &lserparams, &mask))) { - com_err(argv[0], retval, "while viewing service '%s'",servicedn); + com_err(progname, retval, "while viewing service '%s'",servicedn); exit_status++; goto cleanup; } @@ -1338,7 +1338,7 @@ void kdb5_ldap_list_services(argc, argv) int argc; char *argv[]; { - char *me = argv[0]; + char *me = progname; krb5_error_code retval = 0; char *basedn = NULL; char **list = NULL; @@ -1519,7 +1519,7 @@ kdb5_ldap_set_service_password(argc, arg krb5_ldap_context *lparams = NULL; char *file_name = NULL; char *tmp_file = NULL; - char *me = argv[0]; + char *me = progname; int filelen = 0; int random_passwd = 0; int set_dir_pwd = 1; @@ -1902,7 +1902,7 @@ kdb5_ldap_stash_service_password(argc, a { int ret = 0; unsigned int passwd_len = 0; - char *me = argv[0]; + char *me = progname; char *service_object = NULL; char *file_name = NULL, *tmp_file = NULL; char passwd[MAX_SERVICE_PASSWD_LEN]; Index: src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M =================================================================== --- src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M.orig +++ src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.M @@ -73,7 +73,7 @@ set. This means all the ticket options w The various flags are: .TP {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP -.B -allow_postdated +.B \-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the .SM KRB5_KDB_DISALLOW_POSTDATED flag.) @@ -81,7 +81,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP -.B -allow_forwardable +.B \-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the .SM KRB5_KDB_DISALLOW_FORWARDABLE flag.) @@ -89,7 +89,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP -.B -allow_renewable +.B \-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the .SM KRB5_KDB_DISALLOW_RENEWABLE flag.) @@ -97,7 +97,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP -.B -allow_proxiable +.B \-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the .SM KRB5_KDB_DISALLOW_PROXIABLE flag.) @@ -105,7 +105,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP -.B -allow_dup_skey +.B \-allow_dup_skey Disables user-to-user authentication for principals by prohibiting principals from obtaining a session key for another user. (Sets the .SM KRB5_KDB_DISALLOW_DUP_SKEY @@ -119,7 +119,7 @@ requires principals to preauthenticate b kinit. (Sets the .SM KRB5_KDB_REQUIRES_PRE_AUTH flag.) -.B -requires_preauth +.B \-requires_preauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP @@ -128,11 +128,11 @@ requires principals to preauthenticate u before being allowed to kinit. (Sets the .SM KRB5_KDB_REQUIRES_HW_AUTH flag.) -.B -requires_hwauth +.B \-requires_hwauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP -.B -allow_svr +.B \-allow_svr prohibits the issuance of service tickets for principals. (Sets the .SM KRB5_KDB_DISALLOW_SVR flag.) @@ -208,9 +208,9 @@ Specifies the list of Administration ser of the Administration service objects separated by colon(:). .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -create -subtrees o=org -sscope SUB --r ATHENA.MIT.EDU\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu +create \-subtrees o=org \-sscope SUB +\-r ATHENA.MIT.EDU\fP .nf Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' @@ -255,7 +255,7 @@ and no restriction will be set. The various flags are: .TP {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP -.B -allow_postdated +.B \-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the .SM KRB5_KDB_DISALLOW_POSTDATED flag.) @@ -263,7 +263,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP -.B -allow_forwardable +.B \-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the .SM KRB5_KDB_DISALLOW_FORWARDABLE flag.) @@ -271,7 +271,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP -.B -allow_renewable +.B \-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the .SM KRB5_KDB_DISALLOW_RENEWABLE flag.) @@ -279,7 +279,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP -.B -allow_proxiable +.B \-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the .SM KRB5_KDB_DISALLOW_PROXIABLE flag.) @@ -287,7 +287,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP -.B -allow_dup_skey +.B \-allow_dup_skey Disables user-to-user authentication for principals by prohibiting principals from obtaining a session key for another user. (Sets the .SM KRB5_KDB_DISALLOW_DUP_SKEY @@ -301,7 +301,7 @@ requires principals to preauthenticate b kinit. (Sets the .SM KRB5_KDB_REQUIRES_PRE_AUTH flag.) -.B -requires_preauth +.B \-requires_preauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP @@ -310,11 +310,11 @@ requires principals to preauthenticate u before being allowed to kinit. (Sets the .SM KRB5_KDB_REQUIRES_HW_AUTH flag.) -.B -requires_hwauth +.B \-requires_hwauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP -.B -allow_svr +.B \-allow_svr prohibits the issuance of service tickets for principals. (Sets the .SM KRB5_KDB_DISALLOW_SVR flag.) @@ -406,8 +406,8 @@ Specifies the list of Administration ser contains the DNs of the Administration service objects separated by a colon (:). .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify -+requires_preauth -r ATHENA.MIT.EDU \fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify ++requires_preauth \-r ATHENA.MIT.EDU \fP .nf Password for "cn=admin,o=org": .fi @@ -423,8 +423,8 @@ Specifies the Kerberos realm of the data is used. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view --r ATHENA.MIT.EDU\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view +\-r ATHENA.MIT.EDU\fP .nf Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU @@ -450,8 +450,8 @@ Specifies the Kerberos realm of the data is used. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy --r ATHENA.MIT.EDU\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy +\-r ATHENA.MIT.EDU\fP .nf Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? @@ -467,7 +467,7 @@ Lists the name of realms. .nf .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list\fP Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU @@ -487,7 +487,7 @@ Specifies the complete path of the servi Specifies Distinguished name (DN) of the service object whose password is to be stored in file. .TP EXAMPLE: -\fBkdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP +\fBkdb5_ldap_util stashsrvpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP .nf Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": @@ -517,7 +517,7 @@ set. This means all the ticket options w The various flags are: .TP {\fB\-\fP|\fB+\fP}\fBallow_postdated\fP -.B -allow_postdated +.B \-allow_postdated prohibits principals from obtaining postdated tickets. (Sets the .SM KRB5_KDB_DISALLOW_POSTDATED flag.) @@ -525,7 +525,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_forwardable\fP -.B -allow_forwardable +.B \-allow_forwardable prohibits principals from obtaining forwardable tickets. (Sets the .SM KRB5_KDB_DISALLOW_FORWARDABLE flag.) @@ -533,7 +533,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_renewable\fP -.B -allow_renewable +.B \-allow_renewable prohibits principals from obtaining renewable tickets. (Sets the .SM KRB5_KDB_DISALLOW_RENEWABLE flag.) @@ -541,7 +541,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_proxiable\fP -.B -allow_proxiable +.B \-allow_proxiable prohibits principals from obtaining proxiable tickets. (Sets the .SM KRB5_KDB_DISALLOW_PROXIABLE flag.) @@ -549,7 +549,7 @@ flag.) clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_dup_skey\fP -.B -allow_dup_skey +.B \-allow_dup_skey Disables user-to-user authentication for principals by prohibiting principals from obtaining a session key for another user. (Sets the .SM KRB5_KDB_DISALLOW_DUP_SKEY @@ -563,7 +563,7 @@ requires principals to preauthenticate b kinit. (Sets the .SM KRB5_KDB_REQUIRES_PRE_AUTH flag.) -.B -requires_preauth +.B \-requires_preauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBrequires_hwauth\fP @@ -572,11 +572,11 @@ requires principals to preauthenticate u before being allowed to kinit. (Sets the .SM KRB5_KDB_REQUIRES_HW_AUTH flag.) -.B -requires_hwauth +.B \-requires_hwauth clears this flag. .TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP -.B -allow_svr +.B \-allow_svr prohibits the issuance of service tickets for principals. (Sets the .SM KRB5_KDB_DISALLOW_SVR flag.) @@ -639,7 +639,7 @@ flag on principals in the database. Specifies the name of the ticket policy. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu create_policy \-r ATHENA.MIT.EDU \-maxtktlife "1 day" \-maxrenewlife "1 week" \-allow_postdated +needchange \-allow_forwardable tktpolicy\fP .nf Password for "cn=admin,o=org": .fi @@ -657,7 +657,7 @@ returned by is used. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu modify_policy \-r ATHENA.MIT.EDU \-maxtktlife "60 minutes" \-maxrenewlife "10 hours" +allow_postdated \-requires_preauth tktpolicy\fP .nf Password for "cn=admin,o=org": .fi @@ -671,7 +671,7 @@ Displays the attributes of a ticket poli Specifies the name of the ticket policy. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu view_policy \-r ATHENA.MIT.EDU tktpolicy\fP .nf Password for "cn=admin,o=org": Ticket policy: tktpolicy @@ -700,7 +700,7 @@ to confirm the deletion. Specifies the name of the ticket policy. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu destroy_policy \-r ATHENA.MIT.EDU tktpolicy\fP .nf Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? @@ -720,7 +720,7 @@ returned by is used. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU\fP +\fBkdb5_ldap_util \-D cn=admin,o=org \-H ldaps://ldap-server1.mit.edu list_policy \-r ATHENA.MIT.EDU\fP .nf Password for "cn=admin,o=org": tktpolicy @@ -735,22 +735,22 @@ userpolicy \fBsetsrvpw\fP [\fB\-randpw\fP|\fB\-fileonly\fP] [\fB\-f\fP\ \fIfilename\fP] \fIservice_dn\fP Allows an administrator to set password for service objects such as KDC and Administration server in eDirectory and store them in a file. The -.I -fileonly +.I \-fileonly option stores the password in a file and not in the eDirectory object. Options: .RS .TP \fB\-randpw \fP Generates and sets a random password. This options can be specified to store the password both in eDirectory and a file. The -.I -fileonly +.I \-fileonly option can not be used if -.I -randpw +.I \-randpw option is already specified. .TP \fB\-fileonly\fP Stores the password only in a file and not in eDirectory. The -.I -randpw +.I \-randpw option can not be used when -.I -fileonly +.I \-fileonly options is specified. .TP \fB\-f\fP\ \fIfilename\fP @@ -760,7 +760,7 @@ Specifies complete path of the service p Specifies Distinguished name (DN) of the service object whose password is to be set. .TP EXAMPLE: -\fBkdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile +\fBkdb5_ldap_util setsrvpw \-D cn=admin,o=org setsrvpw \-fileonly \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP .nf Password for "cn=admin,o=org": @@ -792,16 +792,16 @@ separated by a colon (:). .TP \fB\-randpw \fP Generates and sets a random password. This option is used to set the random password for the service object in directory and also to store it in the file. The -.I -fileonly +.I \-fileonly option can not be used if -.I -randpw +.I \-randpw option is specified. .TP \fB\-fileonly\fP Stores the password only in a file and not in eDirectory. The -.I -randpw +.I \-randpw option can not be used when -.I -fileonly +.I \-fileonly option is specified. .TP \fB\-f\fP\ \fIfilename\fP @@ -811,7 +811,7 @@ Specifies the complete path of the file Specifies Distinguished name (DN) of the Kerberos service to be created. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP +\fBkdb5_ldap_util \-D cn=admin,o=org create_service \-kdc \-randpw \-f /home/andrew/conf_keyfile cn=service-kdc,o=org\fP .nf Password for "cn=admin,o=org": File does not exist. Creating the file /home/andrew/conf_keyfile... @@ -855,7 +855,7 @@ realms separated by a colon (:). Specifies Distinguished name (DN) of the Kerberos service to be modified. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU +\fBkdb5_ldap_util \-D cn=admin,o=org modify_service \-realm ATHENA.MIT.EDU cn=service-kdc,o=org\fP .nf Password for "cn=admin,o=org": @@ -871,7 +871,7 @@ Displays the attributes of a service. O Specifies Distinguished name (DN) of the Kerberos service to be viewed. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org\fP +\fBkdb5_ldap_util \-D cn=admin,o=org view_service cn=service-kdc,o=org\fP .nf Password for "cn=admin,o=org": Service dn: cn=service-kdc,o=org @@ -897,7 +897,7 @@ needs to be removed. Specifies Distinguished name (DN) of the Kerberos service to be destroyed. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP +\fBkdb5_ldap_util \-D cn=admin,o=org destroy_service cn=service-kdc,o=org\fP .nf Password for "cn=admin,o=org": This will delete the service object 'cn=service-kdc,o=org', are you sure? @@ -922,7 +922,7 @@ for the base DN is .B Root. .TP EXAMPLE: -\fBkdb5_ldap_util -D cn=admin,o=org list_service\fP +\fBkdb5_ldap_util \-D cn=admin,o=org list_service\fP .nf Password for "cn=admin,o=org": cn=service-kdc,o=org Index: src/plugins/kdb/db2/libdb2/test/run.test =================================================================== --- src/plugins/kdb/db2/libdb2/test/run.test.orig +++ src/plugins/kdb/db2/libdb2/test/run.test @@ -34,7 +34,7 @@ main() bindir=/bin/. if [ $# -eq 0 ]; then - for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20; do + for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20 40 41; do test$t done else @@ -45,7 +45,7 @@ main() [0-9]*) test$1;; btree) - for t in 1 2 3 7 8 9 10 12 13; do + for t in 1 2 3 7 8 9 10 12 13 40 41; do test$t done;; hash) @@ -743,4 +743,162 @@ bsize=$bsize ffactor=$ffactor nelem=2500 done } +# Test for a weird page split condition where an insertion into index +# 0 of a page that would cause the new item to be the only item on the +# left page results in index 0 of the right page being erroneously +# skipped; this only happens with one particular key+data length for +# each page size. +test40 () { + echo "Test 40: btree: page split on index 0" + e=: + for psize in 512 1024 2048 4096 8192; do + echo " page size $psize" + kdsizes=`awk 'BEGIN { + psize = '$psize'; hsize = int(psize/2); + for (kdsize = hsize-40; kdsize <= hsize; kdsize++) { + print kdsize; + } + }' /dev/null` + + # Use a series of keylen+datalen values in the right + # neighborhood to find the one that triggers the bug. + # We could compute the exact size that triggers the + # bug but this additional fuzz may be useful. + + # Insert keys in reverse order to maximize the chances + # for a split on index 0. + + for kdsize in $kdsizes; do + awk 'BEGIN { + kdsize = '$kdsize'; + for (i = 8; i-- > 0; ) { + s = sprintf("a%03d:%09d", i, kdsize); + for (j = 0; j < kdsize-20; j++) { + s = s "x"; + } + printf("p\nka%03d\nd%s\n", i, s); + } + print "o"; + }' /dev/null > $TMP2 + sed -n 's/^d//p' $TMP2 | sort > $TMP1 + $PROG -o $TMP3 -i psize=$psize btree $TMP2 + if (cmp -s $TMP1 $TMP3); then : + else + echo "test40: btree: page size $psize, \ +keylen+datalen=$kdsize failed" + e='exit 1' + fi + done + done + $e +} + +# Extremely tricky test attempting to replicate some unusual database +# corruption seen in the field: pieces of the database becoming +# inaccessible to random access, sequential access, or both. The +# hypothesis is that at least some of these are triggered by the bug +# in page splits on index 0 with a particular exact keylen+datalen. +# (See Test 40.) For psize=4096, this size is exactly 2024. + +# The order of operations here relies on very specific knowledge of +# the internals of the btree access method in order to place records +# at specific offsets in a page and to create certain keys on internal +# pages. The to-be-split page immediately prior to the bug-triggering +# split has the following properties: +# +# * is not the leftmost leaf page +# * key on the parent page is compares less than the key of the item +# on index 0 +# * triggering record's key also compares greater than the key on the +# parent page + +# Additionally, we prime the mpool LRU chain so that the head page on +# the chain has the following properties: +# +# * record at index 0 is located where it will not get overwritten by +# items written to the right-hand page during the split +# * key of the record at index 0 compares less than the key of the +# bug-triggering record + +# If the page-split bug exists, this test appears to create a database +# where some records are inaccessible to a search, but still remain in +# the file and are accessible by sequential traversal. At least one +# record gets duplicated out of sequence. + +test41 () { + echo "Test 41: btree: no unsearchables due to page split on index 0" + # list of individual retrievals in a variable for easy reuse + list=`(for i in a b c d; do + for j in 990 998 999; do + echo g ${i}${j} 1024 + done + done; + echo g y997 2014 + for i in y z; do + for j in 998 999; do + echo g ${i}${j} 1024 + done + done)` + # Exact number for trigger condition accounts for newlines + # retained by dbtest with -ofile but not without; we use + # -ofile, so count newlines. keylen=5,datalen=5+2014 for + # psize=4096 here. + (cat - < $TMP2 + (echo "$list"; echo "$list") | awk '{ + s = $2; + for (i = 0; i < $3; i++) { + s = s "x"; + } + print s; + }' > $TMP1 + $PROG -o $TMP3 -i psize=4096 btree $TMP2 + if (cmp -s $TMP1 $TMP3); then : + else + echo "test41: btree: failed" + exit 1 + fi +} + main $* Index: src/plugins/kdb/db2/libdb2/mpool/mpool.c =================================================================== --- src/plugins/kdb/db2/libdb2/mpool/mpool.c.orig +++ src/plugins/kdb/db2/libdb2/mpool/mpool.c @@ -377,7 +377,7 @@ mpool_bkt(mp) head = &mp->hqh[HASHKEY(bp->pgno)]; CIRCLEQ_REMOVE(head, bp, hq); CIRCLEQ_REMOVE(&mp->lqh, bp, q); -#ifdef DEBUG +#if defined(DEBUG) && !defined(DEBUG_IDX0SPLIT) { void *spage; spage = bp->page; memset(bp, 0xff, sizeof(BKT) + mp->pagesize); Index: src/plugins/kdb/db2/libdb2/btree/bt_debug.c =================================================================== --- src/plugins/kdb/db2/libdb2/btree/bt_debug.c.orig +++ src/plugins/kdb/db2/libdb2/btree/bt_debug.c @@ -257,7 +257,8 @@ __bt_dpage(dbp, h) *(db_pgno_t *)bl->bytes, *(u_int32_t *)(bl->bytes + sizeof(db_pgno_t))); else if (bl->ksize) - (void)fprintf(tracefp, "%s/", bl->bytes); + (void)fprintf(tracefp, "%.*s/", + (int)bl->ksize, bl->bytes); if (bl->flags & P_BIGDATA) (void)fprintf(tracefp, "big data page %lu size %u", Index: src/plugins/kdb/db2/libdb2/btree/bt_split.c =================================================================== --- src/plugins/kdb/db2/libdb2/btree/bt_split.c.orig +++ src/plugins/kdb/db2/libdb2/btree/bt_split.c @@ -727,7 +727,7 @@ bt_psplit(t, h, l, r, pskip, ilen) * the right page. */ if (skip <= off) { - skip = 0; + skip = (indx_t)-1; rval = l; } else { rval = r; @@ -737,7 +737,7 @@ bt_psplit(t, h, l, r, pskip, ilen) for (off = 0; nxt < top; ++off) { if (skip == nxt) { ++off; - skip = 0; + skip = (indx_t)-1; } switch (h->flags & P_TYPE) { case P_BINTERNAL: Index: src/plugins/preauth/pkinit/configure.in =================================================================== --- src/plugins/preauth/pkinit/configure.in.orig +++ src/plugins/preauth/pkinit/configure.in @@ -6,8 +6,6 @@ AC_CHECK_HEADERS(unistd.h) AC_TYPE_MODE_T AC_TYPE_OFF_T -AC_CHECK_FUNCS() - # XXX This is incorrect, but should cause -lcrypto to be included by default AC_CHECK_LIB(crypto, PKCS7_get_signer_info) Index: src/appl/gssftp/ftp/ftp.M =================================================================== --- src/appl/gssftp/ftp/ftp.M.orig +++ src/appl/gssftp/ftp/ftp.M @@ -537,7 +537,7 @@ $1.$2 and the remote file name "mydata.d "mydata", and $2 would have the value "data". The .I outpattern determines the resulting mapped filename. The sequences `$1', `$2', -...., `$9' are replaced by any value resulting from the +\&..., `$9' are replaced by any value resulting from the .I inpattern template. The sequence `$0' is replace by the original filename. Additionally, the sequence `[\fIseq1\fP, \fIseq2\fP]' is replaced by Index: src/appl/bsd/v4rcp.M =================================================================== --- src/appl/bsd/v4rcp.M.orig +++ src/appl/bsd/v4rcp.M @@ -1,5 +1,5 @@ .\" appl/bsd/v4rcp.M -.TH RCP 1 \*h +.TH V4RCP 1 .SH NAME v4rcp \- back end for Kerberos V4 rcp .SH SYNOPSIS Index: src/appl/telnet/telnet/telnet.1 =================================================================== --- src/appl/telnet/telnet/telnet.1.orig +++ src/appl/telnet/telnet/telnet.1 @@ -625,7 +625,7 @@ Sends the .TP .B escape Sends the current -.b telnet +.B telnet escape character (initially ``^''. .TP .B ga @@ -761,7 +761,7 @@ character. If .B telnet is in -.b localchars +.B localchars mode (see .B toggle localchars below), @@ -1296,9 +1296,9 @@ is omitted, then an interactive subshell .TP \fB\&?\fP \fIcommand\fP Get help. With no arguments, -.b telnet +.B telnet prints a help summary. If a command is specified, -.b telnet +.B telnet will print the help information for just that command. .SH ENVIRONMENT .B Telnet Index: src/clients/kpasswd/kpasswd.M =================================================================== --- src/clients/kpasswd/kpasswd.M.orig +++ src/clients/kpasswd/kpasswd.M @@ -21,8 +21,7 @@ .\" this software for any purpose. It is provided "as is" without express .\" or implied warranty. .\" " -.\.so man1/header.doc -.TH KPASSWD 1 \*h +.TH KPASSWD 1 .SH NAME kpasswd \- change a user's Kerberos password .SH SYNOPSIS Index: src/gen-manpages/k5login.M =================================================================== --- src/gen-manpages/k5login.M.orig +++ src/gen-manpages/k5login.M @@ -1,6 +1,6 @@ .TH .K5LOGIN 5 .SH NAME -.k5login \- Kerberos V5 acl file for host access. +\&.k5login \- Kerberos V5 acl file for host access. .SH DESCRIPTION The .B .k5login Index: src/kadmin/dbutil/kdb5_destroy.c =================================================================== --- src/kadmin/dbutil/kdb5_destroy.c.orig +++ src/kadmin/dbutil/kdb5_destroy.c @@ -60,19 +60,16 @@ kdb5_destroy(argc, argv) retval1 = kadm5_init_krb5_context(&context); if( retval1 ) { - com_err(argv[0], retval1, "while initializing krb5_context"); + com_err(progname, retval1, "while initializing krb5_context"); exit(1); } if ((retval1 = krb5_set_default_realm(context, util_context->default_realm))) { - com_err(argv[0], retval1, "while setting default realm name"); + com_err(progname, retval1, "while setting default realm name"); exit(1); } - if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; - dbname = global_params.dbname; optind = 1; @@ -102,7 +99,7 @@ kdb5_destroy(argc, argv) retval1 = krb5_db_destroy(context, db5util_db_args); if (retval1) { - com_err(argv[0], retval1, "deleting database '%s'",dbname); + com_err(progname, retval1, "deleting database '%s'",dbname); exit_status++; return; } Index: src/kadmin/dbutil/dump.c =================================================================== --- src/kadmin/dbutil/dump.c.orig +++ src/kadmin/dbutil/dump.c @@ -1016,7 +1016,6 @@ dump_db(argc, argv) { FILE *f; struct dump_args arglist; - char *programname; char *ofile; krb5_error_code kret, retval; dump_version *dump; @@ -1027,9 +1026,6 @@ dump_db(argc, argv) /* * Parse the arguments. */ - programname = argv[0]; - if (strrchr(programname, (int) '/')) - programname = strrchr(argv[0], (int) '/') + 1; ofile = (char *) NULL; dump = &r1_3_version; arglist.verbose = 0; @@ -1081,7 +1077,7 @@ dump_db(argc, argv) * to be opened if we try a dump that uses it. */ if (!dbactive) { - com_err(argv[0], 0, Err_no_database); + com_err(progname, 0, Err_no_database); exit_status++; return; } @@ -1099,7 +1095,7 @@ dump_db(argc, argv) (char *) NULL, 0, &master_keyblock); if (retval) { - com_err(argv[0], retval, + com_err(progname, retval, "while reading master key"); exit(1); } @@ -1107,7 +1103,7 @@ dump_db(argc, argv) master_princ, &master_keyblock); if (retval) { - com_err(argv[0], retval, + com_err(progname, retval, "while verifying master key"); exit(1); } @@ -1124,7 +1120,7 @@ dump_db(argc, argv) TRUE, new_mkey_file, 0, &new_master_keyblock))) { - com_err(argv[0], retval, "while reading new master key"); + com_err(progname, retval, "while reading new master key"); exit(1); } } @@ -1150,7 +1146,7 @@ dump_db(argc, argv) unlink(ofile); if (!(f = fopen(ofile, "w"))) { fprintf(stderr, ofopen_error, - programname, ofile, error_message(errno)); + progname, ofile, error_message(errno)); exit_status++; return; } @@ -1158,7 +1154,7 @@ dump_db(argc, argv) fileno(f), KRB5_LOCKMODE_EXCLUSIVE))) { fprintf(stderr, oflock_error, - programname, ofile, error_message(kret)); + progname, ofile, error_message(kret)); exit_status++; } else @@ -1167,7 +1163,7 @@ dump_db(argc, argv) f = stdout; } if (f && !(kret)) { - arglist.programname = programname; + arglist.programname = progname; arglist.ofile = f; arglist.kcontext = util_context; fprintf(arglist.ofile, "%s", dump->header); @@ -1179,13 +1175,13 @@ dump_db(argc, argv) dump->dump_princ, (krb5_pointer) &arglist))) { /* TBD: backwards and recursive not supported */ fprintf(stderr, dumprec_err, - programname, dump->name, error_message(kret)); + progname, dump->name, error_message(kret)); exit_status++; } if (dump->dump_policy && (kret = krb5_db_iter_policy( util_context, "*", dump->dump_policy, &arglist))) { - fprintf(stderr, dumprec_err, programname, dump->name, + fprintf(stderr, dumprec_err, progname, dump->name, error_message(kret)); exit_status++; } @@ -2126,7 +2122,6 @@ load_db(argc, argv) FILE *f; extern char *optarg; extern int optind; - char *programname; char *dumpfile; char *dbname; char *dbname_tmp; @@ -2140,9 +2135,6 @@ load_db(argc, argv) /* * Parse the arguments. */ - programname = argv[0]; - if (strrchr(programname, (int) '/')) - programname = strrchr(argv[0], (int) '/') + 1; dumpfile = (char *) NULL; dbname = global_params.dbname; load = NULL; @@ -2180,7 +2172,7 @@ load_db(argc, argv) if (!(dbname_tmp = (char *) malloc(strlen(dbname)+ strlen(dump_tmptrail)+1))) { - fprintf(stderr, no_name_mem_fmt, argv[0]); + fprintf(stderr, no_name_mem_fmt, progname); exit_status++; return; } @@ -2191,7 +2183,7 @@ load_db(argc, argv) * Initialize the Kerberos context and error tables. */ if ((kret = kadm5_init_krb5_context(&kcontext))) { - fprintf(stderr, ctx_err_fmt, programname); + fprintf(stderr, ctx_err_fmt, progname); free(dbname_tmp); exit_status++; return; @@ -2199,7 +2191,7 @@ load_db(argc, argv) if( (kret = krb5_set_default_realm(kcontext, util_context->default_realm)) ) { - fprintf(stderr, "%s: Unable to set the default realm\n", programname); + fprintf(stderr, "%s: Unable to set the default realm\n", progname); free(dbname_tmp); exit_status++; return; @@ -2210,14 +2202,14 @@ load_db(argc, argv) */ if (dumpfile) { if ((f = fopen(dumpfile, "r")) == NULL) { - fprintf(stderr, dfile_err_fmt, programname, dumpfile, + fprintf(stderr, dfile_err_fmt, progname, dumpfile, error_message(errno)); exit_status++; return; } if ((kret = krb5_lock_file(kcontext, fileno(f), KRB5_LOCKMODE_SHARED))) { - fprintf(stderr, "%s: Cannot lock %s: %s\n", programname, + fprintf(stderr, "%s: Cannot lock %s: %s\n", progname, dumpfile, error_message(errno)); exit_status++; return; @@ -2233,7 +2225,7 @@ load_db(argc, argv) if (load) { /* only check what we know; some headers only contain a prefix */ if (strncmp(buf, load->header, strlen(load->header)) != 0) { - fprintf(stderr, head_bad_fmt, programname, dumpfile); + fprintf(stderr, head_bad_fmt, progname, dumpfile); exit_status++; if (dumpfile) fclose(f); return; @@ -2252,7 +2244,7 @@ load_db(argc, argv) strlen(ov_version.header)) == 0) load = &ov_version; else { - fprintf(stderr, head_bad_fmt, programname, dumpfile); + fprintf(stderr, head_bad_fmt, progname, dumpfile); exit_status++; if (dumpfile) fclose(f); return; @@ -2260,7 +2252,7 @@ load_db(argc, argv) } if (load->updateonly && !update) { fprintf(stderr, "%s: dump version %s can only be loaded with the " - "-update flag\n", programname, load->name); + "-update flag\n", progname, load->name); exit_status++; return; } @@ -2277,7 +2269,7 @@ load_db(argc, argv) if ((kret = kadm5_get_config_params(kcontext, 1, &newparams, &newparams))) { - com_err(argv[0], kret, + com_err(progname, kret, "while retreiving new configuration parameters"); exit_status++; return; @@ -2301,11 +2293,11 @@ load_db(argc, argv) */ if (emsg != NULL) { - fprintf(stderr, "%s: %s\n", programname, emsg); + fprintf(stderr, "%s: %s\n", progname, emsg); krb5_free_error_message (kcontext, emsg); } else { fprintf(stderr, dbcreaterr_fmt, - programname, dbname, error_message(kret)); + progname, dbname, error_message(kret)); } exit_status++; kadm5_free_config_params(kcontext, &newparams); @@ -2326,11 +2318,11 @@ load_db(argc, argv) */ if (emsg != NULL) { - fprintf(stderr, "%s: %s\n", programname, emsg); + fprintf(stderr, "%s: %s\n", progname, emsg); krb5_free_error_message (kcontext, emsg); } else { fprintf(stderr, dbinit_err_fmt, - programname, error_message(kret)); + progname, error_message(kret)); } exit_status++; goto error; @@ -2349,7 +2341,7 @@ load_db(argc, argv) */ if (kret != KRB5_PLUGIN_OP_NOTSUPP) { fprintf(stderr, "%s: %s while permanently locking database\n", - programname, error_message(kret)); + progname, error_message(kret)); exit_status++; goto error; } @@ -2357,10 +2349,10 @@ load_db(argc, argv) else db_locked = 1; - if (restore_dump(programname, kcontext, (dumpfile) ? dumpfile : stdin_name, + if (restore_dump(progname, kcontext, (dumpfile) ? dumpfile : stdin_name, f, verbose, load)) { fprintf(stderr, restfail_fmt, - programname, load->name); + progname, load->name); exit_status++; } @@ -2373,14 +2365,14 @@ load_db(argc, argv) if (db_locked && (kret = krb5_db_unlock(kcontext))) { /* change this error? */ fprintf(stderr, dbunlockerr_fmt, - programname, dbname, error_message(kret)); + progname, dbname, error_message(kret)); exit_status++; } #if 0 if ((kret = krb5_db_fini(kcontext))) { fprintf(stderr, close_err_fmt, - programname, error_message(kret)); + progname, error_message(kret)); exit_status++; } #endif @@ -2395,7 +2387,7 @@ load_db(argc, argv) */ if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { fprintf(stderr, "%s: cannot make newly loaded database live (%s)\n", - programname, error_message(kret)); + progname, error_message(kret)); exit_status++; } } @@ -2416,7 +2408,7 @@ error: */ if (kret != 0 && kret != KRB5_PLUGIN_OP_NOTSUPP) { fprintf(stderr, dbdelerr_fmt, - programname, dbname, error_message(kret)); + progname, dbname, error_message(kret)); exit_status++; } } Index: src/kadmin/dbutil/kdb5_create.c =================================================================== --- src/kadmin/dbutil/kdb5_create.c.orig +++ src/kadmin/dbutil/kdb5_create.c @@ -162,9 +162,6 @@ void kdb5_create(argc, argv) int do_stash = 0; krb5_data pwd, seed; - if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; - while ((optchar = getopt(argc, argv, "s")) != -1) { switch(optchar) { case 's': @@ -193,7 +190,7 @@ void kdb5_create(argc, argv) printf ("Loading random data\n"); retval = krb5_c_random_os_entropy (util_context, 1, NULL); if (retval) { - com_err (argv[0], retval, "Loading random data"); + com_err (progname, retval, "Loading random data"); exit_status++; return; } @@ -203,7 +200,7 @@ void kdb5_create(argc, argv) global_params.mkey_name, global_params.realm, &mkey_fullname, &master_princ))) { - com_err(argv[0], retval, "while setting up master key name"); + com_err(progname, retval, "while setting up master key name"); exit_status++; return; } @@ -229,7 +226,7 @@ master key name '%s'\n", retval = krb5_read_password(util_context, KRB5_KDC_MKEY_1, KRB5_KDC_MKEY_2, pw_str, &pw_size); if (retval) { - com_err(argv[0], retval, "while reading master key from keyboard"); + com_err(progname, retval, "while reading master key from keyboard"); exit_status++; return; } mkey_password = pw_str; @@ -239,14 +236,14 @@ master key name '%s'\n", pwd.length = strlen(mkey_password); retval = krb5_principal2salt(util_context, master_princ, &master_salt); if (retval) { - com_err(argv[0], retval, "while calculating master key salt"); + com_err(progname, retval, "while calculating master key salt"); exit_status++; return; } retval = krb5_c_string_to_key(util_context, master_keyblock.enctype, &pwd, &master_salt, &master_keyblock); if (retval) { - com_err(argv[0], retval, "while transforming master key from password"); + com_err(progname, retval, "while transforming master key from password"); exit_status++; return; } @@ -256,28 +253,28 @@ master key name '%s'\n", seed.data = master_keyblock.contents; if ((retval = krb5_c_random_seed(util_context, &seed))) { - com_err(argv[0], retval, "while initializing random key generator"); + com_err(progname, retval, "while initializing random key generator"); exit_status++; return; } if ((retval = krb5_db_create(util_context, db5util_db_args))) { - com_err(argv[0], retval, "while creating database '%s'", + com_err(progname, retval, "while creating database '%s'", global_params.dbname); exit_status++; return; } /* if ((retval = krb5_db_fini(util_context))) { */ -/* com_err(argv[0], retval, "while closing current database"); */ +/* com_err(progname, retval, "while closing current database"); */ /* exit_status++; return; */ /* } */ /* if ((retval = krb5_db_open(util_context, db5util_db_args, KRB5_KDB_OPEN_RW))) { */ -/* com_err(argv[0], retval, "while initializing the database '%s'", */ +/* com_err(progname, retval, "while initializing the database '%s'", */ /* global_params.dbname); */ /* exit_status++; return; */ /* } */ if ((retval = add_principal(util_context, master_princ, MASTER_KEY, &rblock)) || (retval = add_principal(util_context, &tgt_princ, TGT_KEY, &rblock))) { (void) krb5_db_fini(util_context); - com_err(argv[0], retval, "while adding entries to the database"); + com_err(progname, retval, "while adding entries to the database"); exit_status++; return; } /* @@ -291,7 +288,7 @@ master key name '%s'\n", &master_keyblock, mkey_password); if (retval) { - com_err(argv[0], errno, "while storing key"); + com_err(progname, errno, "while storing key"); printf("Warning: couldn't stash master key.\n"); } /* clean up */ Index: src/kadmin/dbutil/kdb5_util.c =================================================================== --- src/kadmin/dbutil/kdb5_util.c.orig +++ src/kadmin/dbutil/kdb5_util.c @@ -186,16 +186,18 @@ int main(argc, argv) set_com_err_hook(extended_com_err_fn); + /* + * Ensure that "progname" is set before calling com_err. + */ + progname = (strrchr(argv[0], '/') ? + strrchr(argv[0], '/') + 1 : argv[0]); + retval = kadm5_init_krb5_context(&util_context); if (retval) { com_err (progname, retval, "while initializing Kerberos code"); exit(1); } -/* initialize_adb_error_table(); */ - - progname = (strrchr(argv[0], '/') ? strrchr(argv[0], '/')+1 : argv[0]); - cmd_argv = (char **) malloc(sizeof(char *)*argc); if (cmd_argv == NULL) { com_err(progname, ENOMEM, "while creating sub-command arguments"); @@ -245,7 +247,7 @@ int main(argc, argv) } } else if (strcmp(*argv, "-k") == 0 && ARG_VAL) { if (krb5_string_to_enctype(koptarg, &global_params.enctype)) - com_err(argv[0], 0, "%s is an invalid enctype", koptarg); + com_err(progname, 0, "%s is an invalid enctype", koptarg); else global_params.mask |= KADM5_CONFIG_ENCTYPE; } else if (strcmp(*argv, "-M") == 0 && ARG_VAL) { @@ -287,7 +289,7 @@ int main(argc, argv) retval = kadm5_get_config_params(util_context, 1, &global_params, &global_params); if (retval) { - com_err(argv[0], retval, "while retreiving configuration parameters"); + com_err(progname, retval, "while retreiving configuration parameters"); exit(1); } @@ -300,7 +302,7 @@ int main(argc, argv) master_keyblock.enctype = global_params.enctype; if ((master_keyblock.enctype != ENCTYPE_UNKNOWN) && (!krb5_c_valid_enctype(master_keyblock.enctype))) { - com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, "while setting up enctype %d", master_keyblock.enctype); } @@ -334,13 +336,13 @@ void set_dbname(argc, argv) if (argc < 3) { com_err(argv[0], 0, "Too few arguments"); - com_err(argv[0], 0, "Usage: %s dbpathname realmname", argv[0]); + com_err(progname, 0, "Usage: %s dbpathname realmname", argv[0]); exit_status++; return; } if (dbactive) { if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { - com_err(argv[0], retval, "while closing previous database"); + com_err(progname, retval, "while closing previous database"); exit_status++; return; } @@ -353,7 +355,7 @@ void set_dbname(argc, argv) dbactive = FALSE; } - (void) set_dbname_help(argv[0], argv[1]); + (void) set_dbname_help(progname, argv[1]); return; } #endif @@ -425,6 +427,7 @@ static int open_db_and_mkey() retval = krb5_principal2salt(util_context, master_princ, &scratch); if (retval) { com_err(progname, retval, "while calculated master key salt"); + exit_status++; return(1); } @@ -442,6 +445,7 @@ static int open_db_and_mkey() if (retval) { com_err(progname, retval, "while transforming master key from password"); + exit_status++; return(1); } free(scratch.data); @@ -519,7 +523,7 @@ add_random_key(argc, argv) krb5_int32 num_keysalts = 0; int free_keysalts; - char *me = argv[0]; + char *me = progname; char *ks_str = NULL; char *pr_str; Index: src/kadmin/dbutil/kdb5_stash.c =================================================================== --- src/kadmin/dbutil/kdb5_stash.c.orig +++ src/kadmin/dbutil/kdb5_stash.c @@ -82,19 +82,16 @@ kdb5_stash(argc, argv) char *keyfile = 0; krb5_context context; - if (strrchr(argv[0], '/')) - argv[0] = strrchr(argv[0], '/')+1; - retval = kadm5_init_krb5_context(&context); if( retval ) { - com_err(argv[0], retval, "while initializing krb5_context"); + com_err(progname, retval, "while initializing krb5_context"); exit(1); } if ((retval = krb5_set_default_realm(context, util_context->default_realm))) { - com_err(argv[0], retval, "while setting default realm name"); + com_err(progname, retval, "while setting default realm name"); exit(1); } @@ -119,10 +116,10 @@ kdb5_stash(argc, argv) if (!krb5_c_valid_enctype(master_keyblock.enctype)) { char tmp[32]; if (krb5_enctype_to_string(master_keyblock.enctype, tmp, sizeof(tmp))) - com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, "while setting up enctype %d", master_keyblock.enctype); else - com_err(argv[0], KRB5_PROG_KEYTYPE_NOSUPP, tmp); + com_err(progname, KRB5_PROG_KEYTYPE_NOSUPP, tmp); exit_status++; return; } @@ -130,14 +127,14 @@ kdb5_stash(argc, argv) retval = krb5_db_setup_mkey_name(context, mkey_name, realm, &mkey_fullname, &master_princ); if (retval) { - com_err(argv[0], retval, "while setting up master key name"); + com_err(progname, retval, "while setting up master key name"); exit_status++; return; } retval = krb5_db_open(context, db5util_db_args, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_OTHER); if (retval) { - com_err(argv[0], retval, "while initializing the database '%s'", + com_err(progname, retval, "while initializing the database '%s'", dbname); exit_status++; return; } @@ -148,7 +145,7 @@ kdb5_stash(argc, argv) TRUE, FALSE, (char *) NULL, 0, &master_keyblock); if (retval) { - com_err(argv[0], retval, "while reading master key"); + com_err(progname, retval, "while reading master key"); (void) krb5_db_fini(context); exit_status++; return; } @@ -156,7 +153,7 @@ kdb5_stash(argc, argv) retval = krb5_db_verify_master_key(context, master_princ, &master_keyblock); if (retval) { - com_err(argv[0], retval, "while verifying master key"); + com_err(progname, retval, "while verifying master key"); (void) krb5_db_fini(context); exit_status++; return; } @@ -164,7 +161,7 @@ kdb5_stash(argc, argv) retval = krb5_db_store_master_key(context, keyfile, master_princ, &master_keyblock, NULL); if (retval) { - com_err(argv[0], errno, "while storing key"); + com_err(progname, errno, "while storing key"); memset((char *)master_keyblock.contents, 0, master_keyblock.length); (void) krb5_db_fini(context); exit_status++; return; @@ -173,7 +170,7 @@ kdb5_stash(argc, argv) retval = krb5_db_fini(context); if (retval) { - com_err(argv[0], retval, "closing database '%s'", dbname); + com_err(progname, retval, "closing database '%s'", dbname); exit_status++; return; } Index: src/kadmin/cli/kadmin.M =================================================================== --- src/kadmin/cli/kadmin.M.orig +++ src/kadmin/cli/kadmin.M @@ -206,12 +206,12 @@ Specifying "ago" in a duration may resul creates the principal .IR newprinc , prompting twice for a password. If no policy is specified with the --policy option, and the policy named "default" exists, then that +\-policy option, and the policy named "default" exists, then that policy is assigned to the principal; note that the assignment of the policy "default" only occurs automatically when a principal is first created, so the policy "default" must already exist for the assignment to occur. This assignment of "default" can be suppressed with the --clearpolicy option. This command requires the +\-clearpolicy option. This command requires the .I add privilege. This command has the aliases .B addprinc @@ -411,7 +411,7 @@ Re-enter password for principal tlyu/adm Principal "tlyu/admin@BLEEP.COM" created. kadmin: -kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user +kadmin: addprinc \-x dn=cn=mwm_user,o=org mwm_user WARNING: no policy specified for "mwm_user@BLEEP.COM"; defaulting to no policy. Enter password for principal mwm_user@BLEEP.COM: @@ -639,7 +639,7 @@ sets the number of past keys kept for a .nf .TP EXAMPLES: -kadmin: add_policy -maxlife "2 days" -minlength 5 guests +kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests kadmin: .TP ERRORS: Index: src/lib/crypto/enc_provider/aes.c =================================================================== --- src/lib/crypto/enc_provider/aes.c.orig +++ src/lib/crypto/enc_provider/aes.c @@ -1,3 +1,29 @@ +/* + * lib/crypto/enc_provider/aes.h + * + * Copyright (C) 2003, 2007 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + #include "k5-int.h" #include "enc_provider.h" #include "aes.h" Index: src/lib/rpc/auth_gssapi.c =================================================================== --- src/lib/rpc/auth_gssapi.c.orig +++ src/lib/rpc/auth_gssapi.c @@ -164,6 +164,11 @@ AUTH *auth_gssapi_create( auth = (AUTH *) malloc(sizeof(*auth)); pdata = (struct auth_gssapi_data *) malloc(sizeof(*pdata)); if (auth == NULL || pdata == NULL) { + /* They needn't both have failed; clean up. */ + free(auth); + free(pdata); + auth = NULL; + pdata = NULL; rpc_createerr.cf_stat = RPC_SYSTEMERROR; rpc_createerr.cf_error.re_errno = ENOMEM; goto cleanup; @@ -436,12 +441,14 @@ next_token: cleanup: PRINTF(("gssapi_create: bailing\n\n")); - - if (AUTH_PRIVATE(auth)) - auth_gssapi_destroy(auth); - else if (auth) - free(auth); - auth = NULL; + + if (auth) { + if (AUTH_PRIVATE(auth)) + auth_gssapi_destroy(auth); + else + free(auth); + auth = NULL; + } /* don't assume the caller will want to change clnt->cl_auth */ clnt->cl_auth = save_auth; Index: src/lib/gssapi/krb5/lucid_context.c =================================================================== --- src/lib/gssapi/krb5/lucid_context.c.orig +++ src/lib/gssapi/krb5/lucid_context.c @@ -231,7 +231,7 @@ make_external_lucid_ctx_v1( &lctx->cfx_kd.ctx_key))) goto error_out; if (gctx->have_acceptor_subkey) { - if ((retval = copy_keyblock_to_lucid_key(gctx->enc, + if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, &lctx->cfx_kd.acceptor_subkey))) goto error_out; lctx->cfx_kd.have_acceptor_subkey = 1; Index: src/lib/kadm5/str_conv.c =================================================================== --- src/lib/kadm5/str_conv.c.orig +++ src/lib/kadm5/str_conv.c @@ -310,7 +310,7 @@ krb5_string_to_keysalts(string, tuplesep septmp = ksseplist; for (sp = strchr(kp, (int) *septmp); *(++septmp) && !sp; - ep = strchr(kp, (int) *septmp)); + sp = strchr(kp, (int) *septmp)); if (sp) { /* Separate enctype from salttype */ Index: src/lib/krb5/keytab/kt_file.c =================================================================== --- src/lib/krb5/keytab/kt_file.c.orig +++ src/lib/krb5/keytab/kt_file.c @@ -53,10 +53,30 @@ typedef struct _krb5_ktfile_data { FILE *openf; /* open file, if any. */ char iobuf[BUFSIZ]; /* so we can zap it later */ int version; /* Version number of keytab */ + unsigned int iter_count; /* Number of active iterators */ + long start_offset; /* Starting offset after version */ k5_mutex_t lock; /* Protect openf, version */ } krb5_ktfile_data; /* + * Some limitations: + * + * If the file OPENF is left open between calls, we have an iterator + * active, and OPENF is opened in read-only mode. So, no changes + * can be made via that handle. + * + * An advisory file lock is used while the file is open. Thus, + * multiple handles on the same underlying file cannot be used without + * disrupting the locking in effect. + * + * The start_offset field is only valid if the file is open. It will + * almost certainly always be the same constant. It's used so that + * if an iterator is active, and we start another one, we don't have + * to seek back to the start and re-read the version number to set + * the position for the iterator. + */ + +/* * Macros */ #define KTPRIVATE(id) ((krb5_ktfile_data *)(id)->data) @@ -64,6 +84,8 @@ typedef struct _krb5_ktfile_data { #define KTFILEP(id) (((krb5_ktfile_data *)(id)->data)->openf) #define KTFILEBUFP(id) (((krb5_ktfile_data *)(id)->data)->iobuf) #define KTVERSION(id) (((krb5_ktfile_data *)(id)->data)->version) +#define KTITERS(id) (((krb5_ktfile_data *)(id)->data)->iter_count) +#define KTSTARTOFF(id) (((krb5_ktfile_data *)(id)->data)->start_offset) #define KTLOCK(id) k5_mutex_lock(&((krb5_ktfile_data *)(id)->data)->lock) #define KTUNLOCK(id) k5_mutex_unlock(&((krb5_ktfile_data *)(id)->data)->lock) #define KTCHECKLOCK(id) k5_mutex_assert_locked(&((krb5_ktfile_data *)(id)->data)->lock) @@ -208,6 +230,7 @@ krb5_ktfile_resolve(krb5_context context (void) strcpy(data->name, name); data->openf = 0; data->version = 0; + data->iter_count = 0; (*id)->data = (krb5_pointer)data; (*id)->magic = KV5M_KEYTAB; @@ -255,15 +278,27 @@ krb5_ktfile_get_entry(krb5_context conte int found_wrong_kvno = 0; krb5_boolean similar; int kvno_offset = 0; + int was_open; kerror = KTLOCK(id); if (kerror) return kerror; - /* Open the keyfile for reading */ - if ((kerror = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return(kerror); + if (KTFILEP(id) != NULL) { + was_open = 1; + + if (fseek(KTFILEP(id), KTSTARTOFF(id), SEEK_SET) == -1) { + KTUNLOCK(id); + return errno; + } + } else { + was_open = 0; + + /* Open the keyfile for reading */ + if ((kerror = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return(kerror); + } } /* @@ -370,12 +405,13 @@ krb5_ktfile_get_entry(krb5_context conte kerror = KRB5_KT_NOTFOUND; } if (kerror) { - (void) krb5_ktfileint_close(context, id); + if (was_open == 0) + (void) krb5_ktfileint_close(context, id); KTUNLOCK(id); krb5_kt_free_entry(context, &cur_entry); return kerror; } - if ((kerror = krb5_ktfileint_close(context, id)) != 0) { + if (was_open == 0 && (kerror = krb5_ktfileint_close(context, id)) != 0) { KTUNLOCK(id); krb5_kt_free_entry(context, &cur_entry); return kerror; @@ -430,18 +466,30 @@ krb5_ktfile_start_seq_get(krb5_context c if (retval) return retval; - if ((retval = krb5_ktfileint_openr(context, id))) { - KTUNLOCK(id); - return retval; + if (KTITERS(id) == 0) { + if ((retval = krb5_ktfileint_openr(context, id))) { + KTUNLOCK(id); + return retval; + } } if (!(fileoff = (long *)malloc(sizeof(*fileoff)))) { - krb5_ktfileint_close(context, id); + if (KTITERS(id) == 0) + krb5_ktfileint_close(context, id); KTUNLOCK(id); return ENOMEM; } - *fileoff = ftell(KTFILEP(id)); + *fileoff = KTSTARTOFF(id); *cursorp = (krb5_kt_cursor)fileoff; + KTITERS(id)++; + if (KTITERS(id) == 0) { + /* Wrapped?! */ + KTITERS(id)--; + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Too many keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ + } KTUNLOCK(id); return 0; @@ -490,7 +538,11 @@ krb5_ktfile_end_get(krb5_context context krb5_xfree(*cursor); KTLOCK(id); - kerror = krb5_ktfileint_close(context, id); + KTITERS(id)--; + if (KTFILEP(id) != NULL && KTITERS(id) == 0) + kerror = krb5_ktfileint_close(context, id); + else + kerror = 0; KTUNLOCK(id); return kerror; } @@ -811,6 +863,7 @@ krb5_ktfile_wresolve(krb5_context contex (void) strcpy(data->name, name); data->openf = 0; data->version = 0; + data->iter_count = 0; (*id)->data = (krb5_pointer)data; (*id)->magic = KV5M_KEYTAB; @@ -830,6 +883,13 @@ krb5_ktfile_add(krb5_context context, kr retval = KTLOCK(id); if (retval) return retval; + if (KTFILEP(id)) { + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ + } if ((retval = krb5_ktfileint_openw(context, id))) { KTUNLOCK(id); return retval; @@ -858,6 +918,13 @@ krb5_ktfile_remove(krb5_context context, kerror = KTLOCK(id); if (kerror) return kerror; + if (KTFILEP(id)) { + /* Iterator(s) active -- no changes. */ + KTUNLOCK(id); + krb5_set_error_message(context, KRB5_KT_IOERR, + "Cannot change keytab with keytab iterators active"); + return KRB5_KT_IOERR; /* XXX */ + } if ((kerror = krb5_ktfileint_openw(context, id))) { KTUNLOCK(id); @@ -1114,6 +1181,7 @@ krb5_ktfileint_open(krb5_context context return KRB5_KEYTAB_BADVNO; } } + KTSTARTOFF(id) = ftell(KTFILEP(id)); return 0; } @@ -1424,7 +1492,7 @@ krb5_ktfileint_write_entry(krb5_context krb5_timestamp timestamp; krb5_int32 princ_type; krb5_int32 size_needed; - krb5_int32 commit_point; + krb5_int32 commit_point = -1; int i; KTCHECKLOCK(id); Index: src/lib/krb5/os/toffset.c =================================================================== --- src/lib/krb5/os/toffset.c.orig +++ src/lib/krb5/os/toffset.c @@ -34,6 +34,9 @@ * routines will return the correct time as corrected by difference * between the system time and the "real time" as passed to this * routine + * + * If the real time microseconds are given as -1 the caller doesn't + * know the microseconds value so the usec offset is always zero. */ krb5_error_code KRB5_CALLCONV krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) @@ -45,8 +48,10 @@ krb5_set_real_time(krb5_context context, retval = krb5_crypto_us_timeofday(&sec, &usec); if (retval) return retval; + os_ctx->time_offset = seconds - sec; - os_ctx->usec_offset = microseconds - usec; + os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; + os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | KRB5_OS_TOFFSET_VALID); return 0; Index: src/lib/krb5/os/locate_kdc.c =================================================================== --- src/lib/krb5/os/locate_kdc.c.orig +++ src/lib/krb5/os/locate_kdc.c @@ -611,6 +611,7 @@ module_locate_server (krb5_context ctx, krb5_error_code code; struct krb5plugin_service_locate_ftable *vtbl = NULL; void **ptrs; + char *realmz; /* NUL-terminated realm */ int i; struct module_callback_data cbdata = { 0, }; @@ -632,6 +633,17 @@ module_locate_server (krb5_context ctx, return KRB5_PLUGIN_NO_HANDLE; } + if (realm->length >= UINT_MAX) { + krb5int_free_plugin_dir_data(ptrs); + return ENOMEM; + } + realmz = malloc(realm->length + 1); + if (realmz == NULL) { + krb5int_free_plugin_dir_data(ptrs); + return ENOMEM; + } + memcpy(realmz, realm->data, realm->length); + realmz[realm->length] = '\0'; for (i = 0; ptrs[i]; i++) { void *blob; @@ -644,7 +656,7 @@ module_locate_server (krb5_context ctx, if (code) continue; - code = vtbl->lookup(blob, svc, realm->data, socktype, family, + code = vtbl->lookup(blob, svc, realmz, socktype, family, module_callback, &cbdata); vtbl->fini(blob); if (code == KRB5_PLUGIN_NO_HANDLE) { @@ -657,6 +669,7 @@ module_locate_server (krb5_context ctx, /* Module encountered an actual error. */ Tprintf("plugin lookup routine returned error %d: %s\n", code, error_message(code)); + free(realmz); krb5int_free_plugin_dir_data (ptrs); return code; } @@ -664,6 +677,7 @@ module_locate_server (krb5_context ctx, } if (ptrs[i] == NULL) { Tprintf("ran off end of plugin list\n"); + free(realmz); krb5int_free_plugin_dir_data (ptrs); return KRB5_PLUGIN_NO_HANDLE; } @@ -672,6 +686,7 @@ module_locate_server (krb5_context ctx, /* Got something back, yippee. */ Tprintf("now have %d addrs in list %p\n", addrlist->naddrs, addrlist); print_addrlist(addrlist); + free(realmz); krb5int_free_plugin_dir_data (ptrs); return 0; } Index: src/lib/krb5/rcache/rc_io.c =================================================================== --- src/lib/krb5/rcache/rc_io.c.orig +++ src/lib/krb5/rcache/rc_io.c @@ -83,6 +83,7 @@ krb5_rc_io_creat(krb5_context context, k (void) strcpy(d->fn, dir); (void) strcat(d->fn, PATH_SEPARATOR); (void) strcat(d->fn, *fn); + unlink(d->fn); d->fd = THREEPARAMOPEN(d->fn, O_WRONLY | O_CREAT | O_TRUNC | O_EXCL | O_BINARY, 0600); } @@ -425,7 +426,7 @@ krb5_rc_io_read(krb5_context context, kr strerror(errno)); return KRB5_RC_IO_UNKNOWN; } - if (count == 0) + if (count != num) return KRB5_RC_IO_EOF; return 0; } Index: src/lib/krb5/ccache/cc_memory.c =================================================================== --- src/lib/krb5/ccache/cc_memory.c.orig +++ src/lib/krb5/ccache/cc_memory.c @@ -135,10 +135,18 @@ krb5_error_code KRB5_CALLCONV krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { krb5_error_code ret; + krb5_mcc_data *d; + + d = (krb5_mcc_data *)id->data; + ret = k5_mutex_lock(&d->lock); + if (ret) + return ret; krb5_mcc_free(context, id); ret = krb5_copy_principal(context, princ, &((krb5_mcc_data *)id->data)->prin); + + k5_mutex_unlock(&d->lock); if (ret == KRB5_OK) krb5_change_cache(); return ret; @@ -205,8 +213,13 @@ krb5_mcc_destroy(krb5_context context, k } k5_mutex_unlock(&krb5int_mcc_mutex); + err = k5_mutex_lock(&d->lock); + if (err) + return err; + krb5_mcc_free(context, id); krb5_xfree(d->name); + k5_mutex_unlock(&d->lock); k5_mutex_destroy(&d->lock); krb5_xfree(d); krb5_xfree(id); @@ -244,12 +257,6 @@ krb5_mcc_resolve (krb5_context context, krb5_error_code err; krb5_mcc_data *d; - lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); - if (lid == NULL) - return KRB5_CC_NOMEM; - - lid->ops = &krb5_mcc_ops; - err = k5_mutex_lock(&krb5int_mcc_mutex); if (err) return err; @@ -262,11 +269,16 @@ krb5_mcc_resolve (krb5_context context, err = new_mcc_data(residual, &d); if (err) { k5_mutex_unlock(&krb5int_mcc_mutex); - krb5_xfree(lid); return err; } } k5_mutex_unlock(&krb5int_mcc_mutex); + + lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); + if (lid == NULL) + return KRB5_CC_NOMEM; + + lid->ops = &krb5_mcc_ops; lid->data = d; *id = lid; return KRB5_OK; Index: src/lib/krb5/ccache/ccdefault.c =================================================================== --- src/lib/krb5/ccache/ccdefault.c.orig +++ src/lib/krb5/ccache/ccdefault.c @@ -1,7 +1,7 @@ /* * lib/krb5/ccache/ccdefault.c * - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright 1990, 2007, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -45,22 +45,30 @@ static HANDLE hLeashDLL = INVALID_HANDLE krb5_error_code KRB5_CALLCONV krb5_cc_default(krb5_context context, krb5_ccache *ccache) { - krb5_os_context os_ctx; + const char *default_name; if (!context || context->magic != KV5M_CONTEXT) return KV5M_CONTEXT; + + default_name = krb5_cc_default_name(context); + if (default_name == NULL) { + /* Could be a bogus context, or an allocation failure, or + other things. Unfortunately the API doesn't allow us + to find out any specifics. */ + return KRB5_FCC_INTERNAL; + } - os_ctx = context->os_context; - - return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache); + return krb5_cc_resolve(context, default_name, ccache); } -/* This is the internal function which opens the default ccache. On platforms supporting - the login library's automatic popup dialog to get tickets, this function also updated the - library's internal view of the current principal associated with this cache. - - All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets - should call this function, not krb5_cc_default() */ +/* This is the internal function which opens the default ccache. On + platforms supporting the login library's automatic popup dialog to + get tickets, this function also updated the library's internal view + of the current principal associated with this cache. + + All krb5 and GSS functions which need to open a cache to get a tgt + to obtain service tickets should call this function, not + krb5_cc_default(). */ krb5_error_code KRB5_CALLCONV krb5int_cc_default(krb5_context context, krb5_ccache *ccache) @@ -82,7 +90,8 @@ krb5int_cc_default(krb5_context context, /* This function tries to get tickets and put them in the specified cache, however, if the cache does not exist, it may choose to put them elsewhere (ie: the system default) so we set that here */ - if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) { + char * ccdefname = krb5_cc_default_name (context); + if (!ccdefname || strcmp (ccdefname, outCacheName) != 0) { krb5_cc_set_default_name (context, outCacheName); } KLDisposeString (outCacheName); @@ -102,7 +111,8 @@ krb5int_cc_default(krb5_context context, char ccname[256]=""; pLeash_AcquireInitialTicketsIfNeeded(context, NULL, ccname, sizeof(ccname)); if (ccname[0]) { - if (strcmp (krb5_cc_default_name (context),ccname) != 0) { + char * ccdefname = krb5_cc_default_name (context); + if (!ccdefname || strcmp (ccdefname, ccname) != 0) { krb5_cc_set_default_name (context, ccname); } } Index: src/lib/krb5/krb/get_in_tkt.c =================================================================== --- src/lib/krb5/krb/get_in_tkt.c.orig +++ src/lib/krb5/krb/get_in_tkt.c @@ -290,7 +290,7 @@ verify_as_reply(krb5_context context, if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { retval = krb5_set_real_time(context, - as_reply->enc_part2->times.authtime, 0); + as_reply->enc_part2->times.authtime, -1); if (retval) return retval; } else { Index: src/lib/krb5/krb/rd_safe.c =================================================================== --- src/lib/krb5/krb/rd_safe.c.orig +++ src/lib/krb5/krb/rd_safe.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/rd_safe.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -114,11 +114,11 @@ krb5_rd_safe_basic(krb5_context context, message->checksum = &our_cksum; - if ((retval = encode_krb5_safe_with_body(message, &safe_body, &scratch))) + retval = encode_krb5_safe_with_body(message, &safe_body, &scratch); + message->checksum = his_cksum; + if (retval) goto cleanup; - message->checksum = his_cksum; - retval = krb5_c_verify_checksum(context, keyblock, KRB5_KEYUSAGE_KRB_SAFE_CKSUM, scratch, his_cksum, &valid); Index: src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- src/lib/krb5/krb/gc_via_tkt.c.orig +++ src/lib/krb5/krb/gc_via_tkt.c @@ -1,7 +1,7 @@ /* * lib/krb5/krb/gc_via_tgt.c * - * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -100,6 +100,7 @@ cleanup_keyblock: cleanup: free (*ppcreds); + *ppcreds = NULL; return retval; } @@ -249,7 +250,8 @@ krb5_get_cred_via_tkt (krb5_context cont switch (err_reply->error) { case KRB_ERR_GENERIC: krb5_set_error_message(context, retval, - "KDC returned error string: %s", + "KDC returned error string: %.*s", + err_reply->text.length, err_reply->text.data); break; default: Index: src/slave/kpropd.M =================================================================== --- src/slave/kpropd.M.orig +++ src/slave/kpropd.M @@ -122,7 +122,7 @@ mode. .TP .B \-a allows the user to specify the path to the -.KR kpropd.acl +kpropd.acl file; by default the path used is KPROPD_ACL_FILE (normally @manlocalstatedir@/krb5kdc/kpropd.acl). .SH FILES Index: src/util/depfix.pl =================================================================== --- src/util/depfix.pl.orig +++ src/util/depfix.pl @@ -214,6 +214,7 @@ my $buf = ''; while () { # Strip newline. chop; + next if /^\s*#/; # Do directory-specific path substitutions on each filename read. $_ = &do_subs($_); if (m/\\$/) { Index: src/util/profile/prof_init.c =================================================================== --- src/util/profile/prof_init.c.orig +++ src/util/profile/prof_init.c @@ -34,8 +34,11 @@ profile_init(const_profile_filespec_t *f memset(profile, 0, sizeof(struct _profile_t)); profile->magic = PROF_MAGIC_PROFILE; - /* if the filenames list is not specified return an empty profile */ - if ( files ) { + /* + * If the filenames list is not specified or empty, return an empty + * profile. + */ + if ( files && !PROFILE_LAST_FILESPEC(*files) ) { for (fs = files; !PROFILE_LAST_FILESPEC(*fs); fs++) { retval = profile_open_file(*fs, &new_file); /* if this file is missing, skip to the next */ Index: src/kdc/network.c =================================================================== --- src/kdc/network.c (Revision 20580) +++ src/kdc/network.c (Revision 20587) @@ -277,6 +277,12 @@ struct connection *newconn; void *tmp; + if (sock > FD_SETSIZE) { + data->retval = EMFILE; /* XXX */ + com_err(data->prog, 0, + "file descriptor number %d too high", sock); + return 0; + } newconn = malloc(sizeof(*newconn)); if (newconn == 0) { data->retval = errno; @@ -360,6 +366,12 @@ paddr(addr)); return -1; } + if (sock > FD_SETSIZE) { + close(sock); + com_err(data->prog, 0, "TCP socket fd number %d (for %s) too high", + sock, paddr(addr)); + return -1; + } if (setreuseaddr(sock, 1) < 0) com_err(data->prog, errno, "Cannot enable SO_REUSEADDR on fd %d", sock); @@ -791,6 +803,10 @@ s = accept(conn->fd, addr, &addrlen); if (s < 0) return; + if (s > FD_SETSIZE) { + close(s); + return; + } setnbio(s), setnolinger(s); sockdata.prog = prog; Index: src/lib/gssapi/krb5/accept_sec_context.c =================================================================== --- src/lib/gssapi/krb5/accept_sec_context.c (Revision 20580) +++ src/lib/gssapi/krb5/accept_sec_context.c (Revision 20587) @@ -1,5 +1,5 @@ /* - * Copyright 2000, 2004 by the Massachusetts Institute of Technology. + * Copyright 2000, 2004, 2008 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -249,6 +249,7 @@ krb5_data option; const gss_OID_desc *mech_used = NULL; OM_uint32 major_status = GSS_S_FAILURE; + OM_uint32 tmp_minor_status; krb5_error krb_error_data; krb5_data scratch; gss_cred_id_t cred_handle = NULL; @@ -903,13 +904,14 @@ if (!GSS_ERROR(major_status) && major_status != GSS_S_CONTINUE_NEEDED) { ctx->k5_context = context; - return(major_status); + context = NULL; + goto done; } /* from here on is the real "fail" code */ if (ctx) - (void) krb5_gss_delete_sec_context(minor_status, + (void) krb5_gss_delete_sec_context(&tmp_minor_status, (gss_ctx_id_t *) &ctx, NULL); if (deleg_cred) { /* free memory associated with the deleg credential */ if (deleg_cred->ccache) @@ -936,10 +938,9 @@ if (decode_req_message) { krb5_ap_req * request; - if (decode_krb5_ap_req(&ap_req, &request)) { - krb5_free_context(context); - return (major_status); - } + if (decode_krb5_ap_req(&ap_req, &request)) + goto done; + if (request->ap_options & AP_OPTS_MUTUAL_REQUIRED) gss_flags |= GSS_C_MUTUAL_FLAG; krb5_free_ap_req(context, request); @@ -967,20 +968,16 @@ krb_error_data.server = cred->princ; code = krb5_mk_error(context, &krb_error_data, &scratch); - if (code) { - krb5_free_context(context); - return (major_status); - } + if (code) + goto done; tmsglen = scratch.length; toktype = KG_TOK_CTX_ERROR; token.length = g_token_size(mech_used, tmsglen); token.value = (unsigned char *) xmalloc(token.length); - if (!token.value) { - krb5_free_context(context); - return (major_status); - } + if (!token.value) + goto done; ptr = token.value; g_make_token_header(mech_used, tmsglen, &ptr, toktype); @@ -990,9 +987,13 @@ *output_token = token; } + + done: if (!verifier_cred_handle && cred_handle) { - krb5_gss_release_cred(minor_status, &cred_handle); + krb5_gss_release_cred(&tmp_minor_status, &cred_handle); } - krb5_free_context(context); + if (context) { + krb5_free_context(context); + } return (major_status); } Index: src/lib/comerr32.def =================================================================== --- src/lib/comerr32.def (Revision 20580) +++ src/lib/comerr32.def (Revision 20587) @@ -3,10 +3,10 @@ HEAPSIZE 8192 EXPORTS - com_err - com_err_va - error_message - add_error_table - remove_error_table - set_com_err_hook - reset_com_err_hook + com_err @2 + com_err_va @3 + error_message @4 + add_error_table @1 + remove_error_table @5 + set_com_err_hook @6 + reset_com_err_hook @7 Index: src/lib/kadm5/srv/svr_principal.c =================================================================== --- src/lib/kadm5/srv/svr_principal.c (Revision 20580) +++ src/lib/kadm5/srv/svr_principal.c (Revision 20587) @@ -2099,7 +2099,8 @@ * inexact match on the enctype; this behavior will go away when * the key storage architecture gets redesigned for 1.3. */ - keyblock->enctype = ktype; + if (ktype != -1) + keyblock->enctype = ktype; if (kvnop) *kvnop = key_data->key_data_kvno; Index: src/lib/krb5/os/sendto_kdc.c =================================================================== --- src/lib/krb5/os/sendto_kdc.c (Revision 20580) +++ src/lib/krb5/os/sendto_kdc.c (Revision 20587) @@ -654,6 +654,12 @@ dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); return -1; /* try other hosts */ } + if (fd >= FD_SETSIZE) { + close(fd); + state->err = EMFILE; + dprint("socket: fd %d too high\n", fd); + return -1; + } /* Make it non-blocking. */ if (ai->ai_socktype == SOCK_STREAM) { static const int one = 1;