rpm/krb5
SHA256
1
0
Fork 0
forked from pool/krb5
Code Pull Requests Activity
28dc0dd056
krb5/krb5-1.8-POST.dif
Michael Calmer 28dc0dd056 Accepting request 35618 from home:mcalmer:branches:network 
Copy from home:mcalmer:branches:network/krb5 via accept of submit request 35618 revision 2.
Request was accepted with message:

OBS-URL: https://build.opensuse.org/request/show/35618
OBS-URL: https://build.opensuse.org/package/show/network/krb5?expand=0&rev=14
2010-03-24 09:00:53 +00:00

316 lines
12 KiB
Plaintext
Raw Blame History

Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo.orig
+++ doc/admin.texinfo
@@ -516,13 +516,6 @@ DCE do not support the default cache as
Kerberos. Use a value of 1 on DCE 1.0.3a systems, and a value of 2 on
DCE 1.1 systems. The default value is @value{DefaultCcacheType}.
-@ignore
-@itemx tkt_lifetime
-The default lifetime of a ticket. The default is
-@value{DefaultTktLifetime}. This is currently not supported by the
-code.
-@end ignore
-
@itemx dns_lookup_kdc
Indicate whether DNS SRV records should be used to locate the KDCs and
other servers for a realm, if they are not listed in the information for
@@ -583,6 +576,11 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is @value{DefaultVerifyApReqNofail}.
+@itemx ticket_lifetime
+The value of this tag is the default lifetime for
+initial tickets. The default value for the tag is
+@value{DefaultTktLifetime}.
+
@itemx renew_lifetime
The value of this tag is the default renewable lifetime for
initial tickets. The default value for the tag is
Index: src/include/krb5/krb5.hin
===================================================================
--- src/include/krb5/krb5.hin.orig
+++ src/include/krb5/krb5.hin
@@ -1066,7 +1066,7 @@ krb5_verify_checksum(krb5_context contex
#define KRB5_AUTHDATA_SESAME 65
#define KRB5_AUTHDATA_WIN2K_PAC 128
#define KRB5_AUTHDATA_ETYPE_NEGOTIATION 129 /* RFC 4537 */
-#define KRB5_AUTHDATA_SIGNTICKET 142
+#define KRB5_AUTHDATA_SIGNTICKET 512 /* formerly 142 in krb5 1.8 */
#define KRB5_AUTHDATA_FX_ARMOR 71
/* password change constants */
@@ -1184,6 +1184,19 @@ typedef struct _krb5_pa_data {
krb5_octet *contents;
} krb5_pa_data;
+/* typed data */
+/*
+ * The FAST error handling logic currently assumes that this structure and
+ * krb5_pa_data * can be safely cast to each other if this structure changes,
+ * that code needs to be updated to copy.
+ */
+typedef struct _krb5_typed_data {
+ krb5_magic magic;
+ krb5_int32 type;
+ unsigned int length;
+ krb5_octet *data;
+} krb5_typed_data;
+
typedef struct _krb5_kdc_req {
krb5_magic magic;
krb5_msgtype msg_type; /* AS_REQ or TGS_REQ? */
Index: src/include/k5-int-pkinit.h
===================================================================
--- src/include/k5-int-pkinit.h.orig
+++ src/include/k5-int-pkinit.h
@@ -101,17 +101,6 @@ typedef struct _krb5_trusted_ca {
} u;
} krb5_trusted_ca;
-/* typed data */
-/* The FAST error handling logic currently assumes that this structure and krb5_pa_data * can be safely cast to each other
- * if this structure changes, that code needs to be updated to copy.
- */
-typedef struct _krb5_typed_data {
- krb5_magic magic;
- krb5_int32 type;
- unsigned int length;
- krb5_octet *data;
-} krb5_typed_data;
-
/* PA-PK-AS-REQ (Draft 9 -- PA TYPE 14) */
typedef struct _krb5_pa_pk_as_req_draft9 {
krb5_octet_data signedAuthPack;
Index: src/kdc/kdc_authdata.c
===================================================================
--- src/kdc/kdc_authdata.c.orig
+++ src/kdc/kdc_authdata.c
@@ -934,8 +934,12 @@ verify_ad_signedpath(krb5_context contex
enc_sp.length = sp_authdata[0]->length;
code = decode_krb5_ad_signedpath(&enc_sp, &sp);
- if (code != 0)
+ if (code != 0) {
+ /* Treat an invalid signedpath authdata element as a missing one, since
+ * we believe MS is using the same number for something else. */
+ code = 0;
goto cleanup;
+ }
code = verify_ad_signedpath_checksum(context,
krbtgt,
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c.orig
+++ src/kdc/do_tgs_req.c
@@ -1215,6 +1215,7 @@ prep_reprocess_req(krb5_kdc_req *request
strlcpy(comp1_str,comp1->data,comp1->length+1);
if ((krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_HST ||
+ krb5_princ_type(kdc_context, request->server) == KRB5_NT_SRV_INST ||
(krb5_princ_type(kdc_context, request->server) == KRB5_NT_UNKNOWN &&
kdc_active_realm->realm_host_based_services != NULL &&
(krb5_match_config_pattern(kdc_active_realm->realm_host_based_services,
Index: src/clients/kpasswd/kpasswd.c
===================================================================
--- src/clients/kpasswd/kpasswd.c.orig
+++ src/clients/kpasswd/kpasswd.c
@@ -47,7 +47,7 @@ int main(int argc, char *argv[])
{
krb5_error_code ret;
krb5_context context;
- krb5_principal princ;
+ krb5_principal princ = NULL;
char *pname;
krb5_ccache ccache;
krb5_get_init_creds_opt *opts = NULL;
@@ -84,23 +84,27 @@ int main(int argc, char *argv[])
com_err(argv[0], ret, "parsing client name");
exit(1);
}
- } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
- if (ret) {
+ } else {
+ ret = krb5_cc_default(context, &ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "opening default ccache");
exit(1);
}
- if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
+ ret = krb5_cc_get_principal(context, ccache, &princ);
+ if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) {
com_err(argv[0], ret, "getting principal from ccache");
exit(1);
}
- if ((ret = krb5_cc_close(context, ccache))) {
+ ret = krb5_cc_close(context, ccache);
+ if (ret != 0) {
com_err(argv[0], ret, "closing ccache");
exit(1);
}
- } else {
- get_name_from_passwd_file(argv[0], context, &princ);
+
+ if (princ == NULL)
+ get_name_from_passwd_file(argv[0], context, &princ);
}
if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) {
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M.orig
+++ src/config-files/krb5.conf.M
@@ -220,6 +220,10 @@ If this flag is set, then an attempt to
fail if the client machine does not have a keytab. The default for the
flag is false.
+.IP ticket_lifetime
+The value of this tag is the default lifetime for initial tickets. The
+default value for the tag is 1 day (1d).
+
.IP renew_lifetime
The value of this tag is the default renewable lifetime for initial
tickets. The default value for the tag is 0.
Index: src/lib/gssapi/spnego/spnego_mech.c
===================================================================
--- src/lib/gssapi/spnego/spnego_mech.c.orig
+++ src/lib/gssapi/spnego/spnego_mech.c
@@ -1687,6 +1687,7 @@ cleanup:
if (sc->internal_name != GSS_C_NO_NAME &&
src_name != NULL) {
*src_name = sc->internal_name;
+ sc->internal_name = GSS_C_NO_NAME;
}
release_spnego_ctx(&sc);
} else if (ret != GSS_S_CONTINUE_NEEDED) {
@@ -2572,6 +2573,8 @@ release_spnego_ctx(spnego_gss_ctx_id_t *
(void) generic_gss_release_oid(&minor_stat,
&context->internal_mech);
+ (void) gss_release_name(&minor_stat, &context->internal_name);
+
if (context->optionStr != NULL) {
free(context->optionStr);
context->optionStr = NULL;
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
--- src/lib/kadm5/srv/svr_principal.c.orig
+++ src/lib/kadm5/srv/svr_principal.c
@@ -858,8 +858,8 @@ kadm5_get_principal(void *server_handle,
if (! (mask & KADM5_MOD_TIME))
entry->mod_date = 0;
if (! (mask & KADM5_MOD_NAME)) {
- krb5_free_principal(handle->context, entry->principal);
- entry->principal = NULL;
+ krb5_free_principal(handle->context, entry->mod_name);
+ entry->mod_name = NULL;
}
}
@@ -871,10 +871,12 @@ kadm5_get_principal(void *server_handle,
if (kdb.key_data[i].key_data_kvno > entry->kvno)
entry->kvno = kdb.key_data[i].key_data_kvno;
- ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
- &entry->mkvno);
- if (ret)
- goto done;
+ if (mask & KADM5_MKVNO) {
+ ret = krb5_dbe_get_mkvno(handle->context, &kdb, master_keylist,
+ &entry->mkvno);
+ if (ret)
+ goto done;
+ }
if (mask & KADM5_MAX_RLIFE)
entry->max_renewable_life = kdb.max_renewable_life;
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c.orig
+++ src/lib/krb5/os/changepw.c
@@ -65,20 +65,23 @@ locate_kpasswd(krb5_context context, con
int sockType = (useTcp ? SOCK_STREAM : SOCK_DGRAM);
code = krb5int_locate_server (context, realm, addrlist,
- locate_service_kpasswd, sockType, AF_INET);
+ locate_service_kpasswd, sockType, AF_UNSPEC);
if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) {
code = krb5int_locate_server (context, realm, addrlist,
locate_service_kadmin, SOCK_STREAM,
- AF_INET);
+ AF_UNSPEC);
if (!code) {
/* Success with admin_server but now we need to change the
port number to use DEFAULT_KPASSWD_PORT and the socktype. */
size_t i;
for (i=0; i<addrlist->naddrs; i++) {
struct addrinfo *a = addrlist->addrs[i].ai;
+ krb5_ui_2 kpasswd_port = htons(DEFAULT_KPASSWD_PORT);
if (a->ai_family == AF_INET)
- sa2sin (a->ai_addr)->sin_port = htons(DEFAULT_KPASSWD_PORT);
+ sa2sin (a->ai_addr)->sin_port = kpasswd_port;
+ if (a->ai_family == AF_INET6)
+ sa2sin6 (a->ai_addr)->sin6_port = kpasswd_port;
if (sockType != SOCK_STREAM)
a->ai_socktype = sockType;
}
@@ -131,10 +134,16 @@ kpasswd_sendto_msg_callback(struct conn_
/* some brain-dead OS's don't return useful information from
* the getsockname call. Namely, windows and solaris. */
- if (ss2sin(&local_addr)->sin_addr.s_addr != 0) {
+ if (local_addr.ss_family == AF_INET &&
+ ss2sin(&local_addr)->sin_addr.s_addr != 0) {
local_kaddr.addrtype = ADDRTYPE_INET;
local_kaddr.length = sizeof(ss2sin(&local_addr)->sin_addr);
local_kaddr.contents = (krb5_octet *) &ss2sin(&local_addr)->sin_addr;
+ } else if (local_addr.ss_family == AF_INET6 &&
+ ss2sin6(&local_addr)->sin6_addr.s6_addr != 0) {
+ local_kaddr.addrtype = ADDRTYPE_INET6;
+ local_kaddr.length = sizeof(ss2sin6(&local_addr)->sin6_addr);
+ local_kaddr.contents = (krb5_octet *) &ss2sin6(&local_addr)->sin6_addr;
} else {
krb5_address **addrs;
@@ -290,9 +299,19 @@ change_set_password(krb5_context context
break;
}
- remote_kaddr.addrtype = ADDRTYPE_INET;
- remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
- remote_kaddr.contents = (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ if (remote_addr.ss_family == AF_INET) {
+ remote_kaddr.addrtype = ADDRTYPE_INET;
+ remote_kaddr.length = sizeof(ss2sin(&remote_addr)->sin_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin(&remote_addr)->sin_addr;
+ } else if (remote_addr.ss_family == AF_INET6) {
+ remote_kaddr.addrtype = ADDRTYPE_INET6;
+ remote_kaddr.length = sizeof(ss2sin6(&remote_addr)->sin6_addr);
+ remote_kaddr.contents =
+ (krb5_octet *) &ss2sin6(&remote_addr)->sin6_addr;
+ } else {
+ break;
+ }
if ((code = krb5_auth_con_setaddrs(callback_ctx.context,
callback_ctx.auth_context,
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c.orig
+++ src/lib/krb5/krb/gic_pwd.c
@@ -218,7 +218,7 @@ krb5_get_init_creds_password(krb5_contex
* to prompt. Prompting is only disabled if the option has been set
* and the value has been set to false.
*/
- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
+ if (options && !(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT))
goto cleanup;
/* ok, we have an expired password. Give the user a few chances
View Git Blame Copy Permalink