rpms/krb5
7
0
Fork 0
Code Issues Pull Requests Releases Activity

remove obsolete files

Browse Source
This commit is contained in:
Nalin Dahyabhai 2009-06-04 22:38:18 +00:00
parent a6e25b4c5d
commit 34072014a1
45 changed files with 5 additions and 11175 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.cvsignore
View File

@ -25,3 +25,6 @@ krb5-1.6.2-pdf.tar.gz
krb5-1.6.3.tar.gz
krb5-1.6.3.tar.gz.asc
krb5-1.6.3-pdf.tar.gz
krb5-1.7.tar.gz
krb5-1.7.tar.gz.asc
krb5-1.7-pdf.tar.gz

268
2004-002-dblfree_patch.txt
View File

@ -1,268 +0,0 @@
Index: src/clients/klist/klist.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/clients/klist/klist.c,v
retrieving revision 5.63
diff -c -r5.63 klist.c
*** src/clients/klist/klist.c 11 Apr 2002 03:21:46 -0000 5.63
--- src/clients/klist/klist.c 23 Aug 2004 03:37:26 -0000
***************
*** 614,619 ****
--- 614,622 ----
if (show_etype) {
retval = krb5_decode_ticket(&cred->ticket, &tkt);
+ if (retval)
+ goto err_tkt;
+
if (!extra_field)
fputs("\t",stdout);
else
***************
*** 622,629 ****
etype_string(cred->keyblock.enctype));
printf("%s ",
etype_string(tkt->enc_part.enctype));
- krb5_free_ticket(kcontext, tkt);
extra_field++;
}
/* if any additional info was printed, extra_field is non-zero */
--- 625,635 ----
etype_string(cred->keyblock.enctype));
printf("%s ",
etype_string(tkt->enc_part.enctype));
extra_field++;
+
+ err_tkt:
+ if (tkt != NULL)
+ krb5_free_ticket(kcontext, tkt);
}
/* if any additional info was printed, extra_field is non-zero */
Index: src/krb524/krb524d.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/krb524/krb524d.c,v
retrieving revision 1.55.2.3
diff -c -r1.55.2.3 krb524d.c
*** src/krb524/krb524d.c 28 May 2003 04:06:31 -0000 1.55.2.3
--- src/krb524/krb524d.c 23 Aug 2004 03:37:26 -0000
***************
*** 582,589 ****
printf("v4 credentials encoded\n");
error:
! if (v5tkt->enc_part2)
krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
--- 582,591 ----
printf("v4 credentials encoded\n");
error:
! if (v5tkt->enc_part2) {
krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+ v5tkt->enc_part2 = NULL;
+ }
if(v5_service_key.contents)
krb5_free_keyblock_contents(context, &v5_service_key);
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
diff -c -r5.24 asn1buf.c
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:37:27 -0000
***************
*** 255,260 ****
--- 255,261 ----
(*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char));
if ((*code)->data == NULL) {
free(*code);
+ *code = NULL;
return ENOMEM;
}
for(i=0; i < (*code)->length; i++)
Index: src/lib/krb5/asn.1/krb5_decode.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/krb5_decode.c,v
retrieving revision 5.40.2.5
diff -c -r5.40.2.5 krb5_decode.c
*** src/lib/krb5/asn.1/krb5_decode.c 10 Oct 2003 23:57:38 -0000 5.40.2.5
--- src/lib/krb5/asn.1/krb5_decode.c 23 Aug 2004 03:37:27 -0000
***************
*** 183,190 ****
#define cleanup(cleanup_routine)\
return 0; \
error_out: \
! if (rep && *rep) \
cleanup_routine(*rep); \
return retval;
#define cleanup_none()\
--- 183,192 ----
#define cleanup(cleanup_routine)\
return 0; \
error_out: \
! if (rep && *rep) { \
cleanup_routine(*rep); \
+ *rep = NULL; \
+ } \
return retval;
#define cleanup_none()\
***************
*** 233,238 ****
--- 235,241 ----
free_field(*rep,checksum);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 254,260 ****
{ begin_structure();
{ krb5_kvno kvno;
get_field(kvno,0,asn1_decode_kvno);
! if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO;
}
alloc_field((*rep)->server,krb5_principal_data);
get_field((*rep)->server,1,asn1_decode_realm);
--- 257,263 ----
{ begin_structure();
{ krb5_kvno kvno;
get_field(kvno,0,asn1_decode_kvno);
! if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO);
}
alloc_field((*rep)->server,krb5_principal_data);
get_field((*rep)->server,1,asn1_decode_realm);
***************
*** 268,273 ****
--- 271,277 ----
if (rep && *rep) {
free_field(*rep,server);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 320,325 ****
--- 324,330 ----
free_field(*rep,session);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 403,408 ****
--- 408,414 ----
if (rep && *rep) {
free_field(*rep,ticket);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 451,456 ****
--- 457,463 ----
if (rep && *rep) {
free_field(*rep,subkey);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 556,561 ****
--- 563,569 ----
if (rep && *rep) {
free_field(*rep,checksum);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 614,619 ****
--- 622,628 ----
free_field(*rep,r_address);
free_field(*rep,s_address);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 668,673 ****
--- 677,683 ----
free_field(*rep,r_address);
free_field(*rep,s_address);
free(*rep);
+ *rep = NULL;
}
return retval;
}
***************
*** 713,718 ****
--- 723,729 ----
free_field(*rep,server);
free_field(*rep,client);
free(*rep);
+ *rep = NULL;
}
return retval;
}
Index: src/lib/krb5/krb/rd_rep.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/rd_rep.c,v
retrieving revision 5.33.2.2
diff -c -r5.33.2.2 rd_rep.c
*** src/lib/krb5/krb/rd_rep.c 14 Jun 2003 00:09:47 -0000 5.33.2.2
--- src/lib/krb5/krb/rd_rep.c 23 Aug 2004 03:37:27 -0000
***************
*** 71,76 ****
--- 71,78 ----
/* now decode the decrypted stuff */
retval = decode_krb5_ap_rep_enc_part(&scratch, repl);
+ if (retval)
+ goto clean_scratch;
/* Check reply fields */
if (((*repl)->ctime != auth_context->authentp->ctime) ||
Index: src/lib/krb5/krb/send_tgs.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/send_tgs.c,v
retrieving revision 5.55.2.1
diff -c -r5.55.2.1 send_tgs.c
*** src/lib/krb5/krb/send_tgs.c 13 May 2004 19:27:59 -0000 5.55.2.1
--- src/lib/krb5/krb/send_tgs.c 23 Aug 2004 03:37:27 -0000
***************
*** 269,274 ****
--- 269,276 ----
if (!tcp_only) {
krb5_error *err_reply;
retval = decode_krb5_error(&rep->response, &err_reply);
+ if (retval)
+ goto send_tgs_error_3;
if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) {
tcp_only = 1;
krb5_free_error(context, err_reply);
***************
*** 277,282 ****
--- 279,286 ----
goto send_again;
}
krb5_free_error(context, err_reply);
+ send_tgs_error_3:
+ ;
}
rep->message_type = KRB5_ERROR;
} else if (krb5_is_tgs_rep(&rep->response))

17
2004-003-patch_1.3.4.txt
View File

@ -1,17 +0,0 @@
Index: src/lib/krb5/asn.1/asn1buf.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v
retrieving revision 5.24
*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24
--- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000
***************
*** 122,127 ****
--- 122,129 ----
return ASN1_OVERRUN;
}
while (nestlevel > 0) {
+ if (buf->bound - buf->next + 1 <= 0)
+ return ASN1_OVERRUN;
retval = asn1_get_tag_2(buf, &t);
if (retval) return retval;
if (!t.indef) {

268
2006-001-patch_1.5.txt
View File

@ -1,268 +0,0 @@
Index: appl/gssftp/ftpd/ftpd.c
===================================================================
*** appl/gssftp/ftpd/ftpd.c (revision 18440)
--- appl/gssftp/ftpd/ftpd.c (working copy)
***************
*** 1367,1373 ****
goto bad;
sleep(tries);
}
! (void) krb5_seteuid((uid_t)pw->pw_uid);
#ifdef IP_TOS
#ifdef IPTOS_THROUGHPUT
on = IPTOS_THROUGHPUT;
--- 1367,1375 ----
goto bad;
sleep(tries);
}
! if (krb5_seteuid((uid_t)pw->pw_uid)) {
! fatal("seteuid user");
! }
#ifdef IP_TOS
#ifdef IPTOS_THROUGHPUT
on = IPTOS_THROUGHPUT;
***************
*** 1377,1383 ****
#endif
return (fdopen(s, fmode));
bad:
! (void) krb5_seteuid((uid_t)pw->pw_uid);
(void) close(s);
return (NULL);
}
--- 1379,1387 ----
#endif
return (fdopen(s, fmode));
bad:
! if (krb5_seteuid((uid_t)pw->pw_uid)) {
! fatal("seteuid user");
! }
(void) close(s);
return (NULL);
}
***************
*** 2186,2192 ****
(void) krb5_seteuid((uid_t)pw->pw_uid);
goto pasv_error;
}
! (void) krb5_seteuid((uid_t)pw->pw_uid);
len = sizeof(pasv_addr);
if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
goto pasv_error;
--- 2190,2198 ----
(void) krb5_seteuid((uid_t)pw->pw_uid);
goto pasv_error;
}
! if (krb5_seteuid((uid_t)pw->pw_uid)) {
! fatal("seteuid user");
! }
len = sizeof(pasv_addr);
if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0)
goto pasv_error;
Index: appl/bsd/v4rcp.c
===================================================================
*** appl/bsd/v4rcp.c (revision 18440)
--- appl/bsd/v4rcp.c (working copy)
***************
*** 436,442 ****
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
(void) response();
! (void) setuid(userid);
source(--argc, ++argv);
exit(errs);
--- 436,445 ----
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
(void) response();
! if (setuid(userid)) {
! error("rcp: can't setuid(user)\n");
! exit(1);
! }
source(--argc, ++argv);
exit(errs);
***************
*** 452,458 ****
krem = kstream_create_from_fd (rem, 0, 0);
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
! (void) setuid(userid);
sink(--argc, ++argv);
exit(errs);
--- 455,464 ----
krem = kstream_create_from_fd (rem, 0, 0);
kstream_set_buffer_mode (krem, 0);
#endif /* KERBEROS && !NOENCRYPTION */
! if (setuid(userid)) {
! error("rcp: can't setuid(user)\n");
! exit(1);
! }
sink(--argc, ++argv);
exit(errs);
Index: appl/bsd/krcp.c
===================================================================
*** appl/bsd/krcp.c (revision 18440)
--- appl/bsd/krcp.c (working copy)
***************
*** 620,626 ****
euid = geteuid();
if (euid == 0) {
! (void) setuid(0);
if(krb5_seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
--- 620,628 ----
euid = geteuid();
if (euid == 0) {
! if (setuid(0)) {
! perror("rcp setuid 0"); errs++; exit(errs);
! }
if(krb5_seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
***************
*** 638,648 ****
continue;
rcmd_stream_init_normal();
#ifdef HAVE_SETREUID
! (void) setreuid(0, userid);
sink(1, argv+argc-1);
! (void) setreuid(userid, 0);
#else
! (void) setuid(0);
if(seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
--- 640,656 ----
continue;
rcmd_stream_init_normal();
#ifdef HAVE_SETREUID
! if (setreuid(0, userid)) {
! perror("rcp setreuid 0,user"); errs++; exit(errs);
! }
sink(1, argv+argc-1);
! if (setreuid(userid, 0)) {
! perror("rcp setreuid user,0"); errs++; exit(errs);
! }
#else
! if (setuid(0)) {
! perror("rcp setuid 0"); errs++; exit(errs);
! }
if(seteuid(userid)) {
perror("rcp seteuid user"); errs++; exit(errs);
}
Index: appl/bsd/login.c
===================================================================
*** appl/bsd/login.c (revision 18440)
--- appl/bsd/login.c (working copy)
***************
*** 1648,1654 ****
}
#endif /* HAVE_SETLUID */
#ifdef _IBMR2
! setuidx(ID_LOGIN, pwd->pw_uid);
#endif
/* This call MUST succeed */
--- 1648,1657 ----
}
#endif /* HAVE_SETLUID */
#ifdef _IBMR2
! if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) {
! perror("setuidx");
! sleepexit(1);
! };
#endif
/* This call MUST succeed */
Index: appl/bsd/krshd.c
===================================================================
*** appl/bsd/krshd.c (revision 18440)
--- appl/bsd/krshd.c (working copy)
***************
*** 1403,1411 ****
* If we're on a system which keeps track of login uids, then
* set the login uid.
*/
! setluid((uid_t) pwd->pw_uid);
#endif /* HAVE_SETLUID */
! (void) setuid((uid_t)pwd->pw_uid);
/* if TZ is set in the parent, drag it in */
{
char **findtz = environ;
--- 1403,1417 ----
* If we're on a system which keeps track of login uids, then
* set the login uid.
*/
! if (setluid((uid_t) pwd->pw_uid) < 0) {
! perror("setluid");
! _exit(1);
! }
#endif /* HAVE_SETLUID */
! if (setuid((uid_t)pwd->pw_uid) < 0) {
! perror("setuid");
! _exit(1);
! }
/* if TZ is set in the parent, drag it in */
{
char **findtz = environ;
Index: clients/ksu/main.c
===================================================================
*** clients/ksu/main.c (revision 18440)
--- clients/ksu/main.c (working copy)
***************
*** 893,900 ****
struct stat st_temp;
krb5_seteuid(0);
! krb5_seteuid(target_uid);
!
cc_name = krb5_cc_get_name(context, cc);
if ( ! stat(cc_name, &st_temp)){
if ((retval = krb5_cc_destroy(context, cc))){
--- 893,904 ----
struct stat st_temp;
krb5_seteuid(0);
! if (krb5_seteuid(target_uid) < 0) {
! com_err(prog_name, errno,
! "while changing to target uid for destroying ccache");
! exit(1);
! }
!
cc_name = krb5_cc_get_name(context, cc);
if ( ! stat(cc_name, &st_temp)){
if ((retval = krb5_cc_destroy(context, cc))){
Index: lib/krb4/kuserok.c
===================================================================
*** lib/krb4/kuserok.c (revision 18440)
--- lib/krb4/kuserok.c (working copy)
***************
*** 159,167 ****
*/
if(getuid() == 0) {
uid_t old_euid = geteuid();
! seteuid(pwd->pw_uid);
fp = fopen(pbuf, "r");
! seteuid(old_euid);
if ((fp) == NULL) {
return(NOTOK);
}
--- 159,169 ----
*/
if(getuid() == 0) {
uid_t old_euid = geteuid();
! if (seteuid(pwd->pw_uid) < 0)
! return NOTOK;
fp = fopen(pbuf, "r");
! if (seteuid(old_euid) < 0)
! return NOTOK;
if ((fp) == NULL) {
return(NOTOK);
}

27
2006-002-patch.txt
View File

@ -1,27 +0,0 @@
Index: src/lib/rpc/svc.c
===================================================================
*** src/lib/rpc/svc.c (revision 18864)
--- src/lib/rpc/svc.c (working copy)
***************
*** 437,442 ****
--- 437,444 ----
#endif
}
+ extern struct svc_auth_ops svc_auth_gss_ops;
+
static void
svc_do_xprt(SVCXPRT *xprt)
{
***************
*** 518,523 ****
--- 520,528 ----
if ((stat = SVC_STAT(xprt)) == XPRT_DIED){
SVC_DESTROY(xprt);
break;
+ } else if ((xprt->xp_auth != NULL) &&
+ (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) {
+ xprt->xp_auth = NULL;
}
} while (stat == XPRT_MOREREQS);

1903
2006-003-patch.txt
View File

File diff suppressed because it is too large Load Diff

30
CVE-2007-3999-2.patch
View File

@ -1,30 +0,0 @@
*** src/lib/rpc/svc_auth_gss.c (revision 20474)
--- src/lib/rpc/svc_auth_gss.c (local)
***************
*** 355,360 ****
--- 355,369 ----
memset(rpchdr, 0, sizeof(rpchdr));
/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
+ oa = &msg->rm_call.cb_cred;
+ if (oa->oa_length > MAX_AUTH_BYTES)
+ return (FALSE);
+
+ /* 8 XDR units from the IXDR macro calls. */
+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
+ RNDUP(oa->oa_length)))
+ return (FALSE);
+
buf = (int32_t *)(void *)rpchdr;
IXDR_PUT_LONG(buf, msg->rm_xid);
IXDR_PUT_ENUM(buf, msg->rm_direction);
***************
*** 362,368 ****
IXDR_PUT_LONG(buf, msg->rm_call.cb_prog);
IXDR_PUT_LONG(buf, msg->rm_call.cb_vers);
IXDR_PUT_LONG(buf, msg->rm_call.cb_proc);
- oa = &msg->rm_call.cb_cred;
IXDR_PUT_ENUM(buf, oa->oa_flavor);
IXDR_PUT_LONG(buf, oa->oa_length);
if (oa->oa_length) {
--- 371,376 ----

22
CVE-2007-4000.patch
View File

@ -1,22 +0,0 @@
*** src/lib/kadm5/srv/svr_policy.c (revision 20254)
--- src/lib/kadm5/srv/svr_policy.c (local)
***************
*** 211,218 ****
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;
! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt);
! if( ret && (cnt==0) )
return KADM5_UNK_POLICY;
if ((mask & KADM5_PW_MAX_LIFE))
--- 211,219 ----
if((mask & KADM5_POLICY))
return KADM5_BAD_MASK;
! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt)))
! return ret;
! if (cnt != 1)
return KADM5_UNK_POLICY;
if ((mask & KADM5_PW_MAX_LIFE))

46
krb5-1.3.3-rcp-markus.patch
View File

@ -1,46 +0,0 @@
Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp.
--- krb5-1.3.3/src/appl/bsd/krcp.c 2003-05-12 18:20:15.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-13 12:01:31.000000000 -0400
@@ -1088,6 +1088,10 @@
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
SCREWUP("target name too long");
@@ -1101,6 +1105,8 @@
nambuf[sizeof(nambuf) - 1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;
--- krb5-1.3.3/src/appl/bsd/v4rcp.c 2002-07-12 16:21:31.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-13 12:01:53.000000000 -0400
@@ -801,6 +801,10 @@
size = size * 10 + (*cp++ - '0');
if (*cp++ != ' ')
SCREWUP("size not delimited");
+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) {
+ error("error: unexpected filename: %s", cp);
+ exit(1);
+ }
if (targisdir) {
if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
(void) sprintf(nambuf, "%s%s%s", targ,
@@ -817,6 +821,8 @@
nambuf[sizeof(nambuf)-1] = '\0';
exists = stat(nambuf, &stb) == 0;
if (cmdbuf[0] == 'D') {
+ if (!iamrecursive)
+ SCREWUP("received directory without -r");
if (exists) {
if ((stb.st_mode&S_IFMT) != S_IFDIR) {
errno = ENOTDIR;

47
krb5-1.3.3-rcp-sendlarge.patch
View File

@ -1,47 +0,0 @@
Fix sending of large files. This isn't *quite* right, because we still have to
open the file right to avoid EFBIG errors, and this patch doesn't fix that.
Either we build with -D_FILE_OFFSET_BITS=64, change open() to open64(), or
pass O_LARGEFILE to open(), none of which are easy to automate.
--- krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-15 00:40:00.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-15 00:55:38.000000000 -0400
@@ -819,8 +819,13 @@
continue;
}
}
+#ifdef HAVE_LONG_LONG
+ (void) sprintf(buf, "C%04o %lld %s\n",
+ (int) stb.st_mode&07777, (long long) stb.st_size, last);
+#else
(void) sprintf(buf, "C%04o %ld %s\n",
(int) stb.st_mode&07777, (long ) stb.st_size, last);
+#endif
(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
if (response() < 0) {
(void) close(f);
--- krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-15 00:40:28.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-15 00:46:57.000000000 -0400
@@ -538,8 +538,13 @@
continue;
}
}
+#ifdef HAVE_LONG_LONG
+ (void) sprintf(buf, "C%04o %lld %s\n",
+ (unsigned int) stb.st_mode&07777, (long long) stb.st_size, last);
+#else
(void) sprintf(buf, "C%04o %ld %s\n",
(unsigned int) stb.st_mode&07777, (long) stb.st_size, last);
+#endif
kstream_write (krem, buf, strlen (buf));
if (response() < 0) {
(void) close(f);
--- krb5-1.3.3/src/appl/bsd/configure.in 2004-04-15 00:52:22.000000000 -0400
+++ krb5-1.3.3/src/appl/bsd/configure.in 2004-04-15 00:52:16.000000000 -0400
@@ -77,6 +77,7 @@
AC_TYPE_MODE_T
AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af)
AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h arpa/nameser.h)
+AC_CHECK_TYPES([long long])
AC_HEADER_STDARG
AC_REPLACE_FUNCS(getdtablesize)
dnl

41
krb5-1.3.5-kprop-mktemp.patch
View File

@ -1,41 +0,0 @@
Use an in-memory ccache to silence a compiler warning.
--- krb5-1.3.5/src/slave/kprop.c 2004-11-17 12:18:48.000000000 -0500
+++ krb5-1.3.5/src/slave/kprop.c 2004-11-17 13:42:31.926487217 -0500
@@ -211,9 +211,8 @@
void get_tickets(context)
krb5_context context;
{
- char buf[BUFSIZ];
krb5_error_code retval;
- static char tkstring[] = "/tmp/kproptktXXXXXX";
+ char tkstring[] = "MEMORY:_kproptkt";
krb5_keytab keytab = NULL;
/*
@@ -238,22 +237,19 @@
#endif
/*
- * Initialize cache file which we're going to be using
+ * Initialize an in-memory cache for temporary use
*/
- (void) mktemp(tkstring);
- sprintf(buf, "FILE:%s", tkstring);
-
- retval = krb5_cc_resolve(context, buf, &ccache);
+ retval = krb5_cc_resolve(context, tkstring, &ccache);
if (retval) {
com_err(progname, retval, "while opening credential cache %s",
- buf);
+ tkstring);
exit(1);
}
retval = krb5_cc_initialize(context, ccache, my_principal);
if (retval) {
com_err (progname, retval, "when initializing cache %s",
- buf);
+ tkstring);
exit(1);
}

344
krb5-1.4-ktany.patch
View File

@ -1,344 +0,0 @@
--- krb5-1.4/src/lib/krb5/keytab/ktbase.c.ktany 2004-05-27 23:44:32.000000000 -0400
+++ krb5-1.4/src/lib/krb5/keytab/ktbase.c 2005-02-18 11:01:18.000000000 -0500
@@ -34,14 +34,19 @@
extern const krb5_kt_ops krb5_ktf_ops;
extern const krb5_kt_ops krb5_ktf_writable_ops;
extern const krb5_kt_ops krb5_kts_ops;
+extern const krb5_kt_ops krb5_kta_ops;
struct krb5_kt_typelist {
const krb5_kt_ops *ops;
const struct krb5_kt_typelist *next;
};
+static struct krb5_kt_typelist krb5_kt_typelist_any = {
+ &krb5_kta_ops,
+ 0
+};
const static struct krb5_kt_typelist krb5_kt_typelist_wrfile = {
&krb5_ktf_writable_ops,
- 0
+ &krb5_kt_typelist_any
};
const static struct krb5_kt_typelist krb5_kt_typelist_file = {
&krb5_ktf_ops,
--- /dev/null 2005-02-18 05:27:12.242575752 -0500
+++ krb5-1.4/src/lib/krb5/keytab/kt_any.c 2005-02-18 10:38:09.000000000 -0500
@@ -0,0 +1,292 @@
+/*
+ * lib/krb5/keytab/kt_any.c
+ *
+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ *
+ * krb5_kta_ops
+ */
+
+#include "k5-int.h"
+
+typedef struct _krb5_ktany_data {
+ char *name;
+ krb5_keytab *choices;
+ int nchoices;
+} krb5_ktany_data;
+
+typedef struct _krb5_ktany_cursor_data {
+ int which;
+ krb5_kt_cursor cursor;
+} krb5_ktany_cursor_data;
+
+static krb5_error_code krb5_ktany_resolve
+ (krb5_context,
+ const char *,
+ krb5_keytab *);
+static krb5_error_code krb5_ktany_get_name
+ (krb5_context context,
+ krb5_keytab id,
+ char *name,
+ unsigned int len);
+static krb5_error_code krb5_ktany_close
+ (krb5_context context,
+ krb5_keytab id);
+static krb5_error_code krb5_ktany_get_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_const_principal principal,
+ krb5_kvno kvno,
+ krb5_enctype enctype,
+ krb5_keytab_entry *entry);
+static krb5_error_code krb5_ktany_start_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursorp);
+static krb5_error_code krb5_ktany_next_entry
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_keytab_entry *entry,
+ krb5_kt_cursor *cursor);
+static krb5_error_code krb5_ktany_end_seq_get
+ (krb5_context context,
+ krb5_keytab id,
+ krb5_kt_cursor *cursor);
+static void cleanup
+ (krb5_context context,
+ krb5_ktany_data *data,
+ int nchoices);
+
+struct _krb5_kt_ops krb5_kta_ops = {
+ 0,
+ "ANY", /* Prefix -- this string should not appear anywhere else! */
+ krb5_ktany_resolve,
+ krb5_ktany_get_name,
+ krb5_ktany_close,
+ krb5_ktany_get_entry,
+ krb5_ktany_start_seq_get,
+ krb5_ktany_next_entry,
+ krb5_ktany_end_seq_get,
+ 0,
+ 0,
+ 0
+};
+
+static krb5_error_code
+krb5_ktany_resolve(context, name, id)
+ krb5_context context;
+ const char *name;
+ krb5_keytab *id;
+{
+ const char *p, *q;
+ char *copy;
+ krb5_error_code kerror;
+ krb5_ktany_data *data;
+ int i;
+
+ /* Allocate space for our data and remember a copy of the name. */
+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL)
+ return(ENOMEM);
+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) {
+ krb5_xfree(data);
+ return(ENOMEM);
+ }
+ strcpy(data->name, name);
+
+ /* Count the number of choices and allocate memory for them. */
+ data->nchoices = 1;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1)
+ data->nchoices++;
+ if ((data->choices = (krb5_keytab *)
+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) {
+ krb5_xfree(data->name);
+ krb5_xfree(data);
+ return(ENOMEM);
+ }
+
+ /* Resolve each of the choices. */
+ i = 0;
+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) {
+ /* Make a copy of the choice name so we can terminate it. */
+ if ((copy = (char *)malloc(q - p + 1)) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ memcpy(copy, p, q - p);
+ copy[q - p] = 0;
+
+ /* Try resolving the choice name. */
+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]);
+ krb5_xfree(copy);
+ if (kerror) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+ i++;
+ }
+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) {
+ cleanup(context, data, i);
+ return(kerror);
+ }
+
+ /* Allocate and fill in an ID for the caller. */
+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) {
+ cleanup(context, data, i);
+ return(ENOMEM);
+ }
+ (*id)->ops = &krb5_kta_ops;
+ (*id)->data = (krb5_pointer)data;
+ (*id)->magic = KV5M_KEYTAB;
+
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_name(context, id, name, len)
+ krb5_context context;
+ krb5_keytab id;
+ char *name;
+ unsigned int len;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ if (len < strlen(data->name) + 1)
+ return(KRB5_KT_NAME_TOOLONG);
+ strcpy(name, data->name);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_close(context, id)
+ krb5_context context;
+ krb5_keytab id;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+
+ cleanup(context, data, data->nchoices);
+ id->ops = 0;
+ krb5_xfree(id);
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_const_principal principal;
+ krb5_kvno kvno;
+ krb5_enctype enctype;
+ krb5_keytab_entry *entry;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_error_code kerror = KRB5_KT_NOTFOUND;
+ int i;
+
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal,
+ kvno, enctype, entry)) != ENOENT)
+ return kerror;
+ }
+ return kerror;
+}
+
+static krb5_error_code
+krb5_ktany_start_seq_get(context, id, cursorp)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursorp;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata;
+ krb5_error_code kerror = ENOENT;
+ int i;
+
+ if ((cdata = (krb5_ktany_cursor_data *)
+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL)
+ return(ENOMEM);
+
+ /* Find a choice which can handle the serialization request. */
+ for (i = 0; i < data->nchoices; i++) {
+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i],
+ &cdata->cursor)) == 0)
+ break;
+ else if (kerror != ENOENT) {
+ krb5_xfree(cdata);
+ return(kerror);
+ }
+ }
+
+ if (i == data->nchoices) {
+ /* Everyone returned ENOENT, so no go. */
+ krb5_xfree(cdata);
+ return(kerror);
+ }
+
+ cdata->which = i;
+ *cursorp = (krb5_kt_cursor)cdata;
+ return(0);
+}
+
+static krb5_error_code
+krb5_ktany_next_entry(context, id, entry, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_keytab_entry *entry;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+
+ choice_id = data->choices[cdata->which];
+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor));
+}
+
+static krb5_error_code
+krb5_ktany_end_seq_get(context, id, cursor)
+ krb5_context context;
+ krb5_keytab id;
+ krb5_kt_cursor *cursor;
+{
+ krb5_ktany_data *data = (krb5_ktany_data *)id->data;
+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor;
+ krb5_keytab choice_id;
+ krb5_error_code kerror;
+
+ choice_id = data->choices[cdata->which];
+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor);
+ krb5_xfree(cdata);
+ return(kerror);
+}
+
+static void
+cleanup(context, data, nchoices)
+ krb5_context context;
+ krb5_ktany_data *data;
+ int nchoices;
+{
+ int i;
+
+ krb5_xfree(data->name);
+ for (i = 0; i < nchoices; i++)
+ krb5_kt_close(context, data->choices[i]);
+ krb5_xfree(data->choices);
+ krb5_xfree(data);
+}
--- krb5-1.4/src/lib/krb5/keytab/Makefile.in.ktany 2004-05-27 23:44:32.000000000 -0400
+++ krb5-1.4/src/lib/krb5/keytab/Makefile.in 2005-02-18 10:38:09.000000000 -0500
@@ -14,6 +14,7 @@
ktfr_entry.o \
ktremove.o \
ktfns.o \
+ kt_any.o \
kt_file.o \
kt_srvtab.o \
read_servi.o
@@ -25,6 +26,7 @@
$(OUTPRE)ktfr_entry.$(OBJEXT) \
$(OUTPRE)ktremove.$(OBJEXT) \
$(OUTPRE)ktfns.$(OBJEXT) \
+ $(OUTPRE)kt_any.$(OBJEXT) \
$(OUTPRE)kt_file.$(OBJEXT) \
$(OUTPRE)kt_srvtab.$(OBJEXT) \
$(OUTPRE)read_servi.$(OBJEXT)
@@ -36,6 +38,7 @@
$(srcdir)/ktfr_entry.c \
$(srcdir)/ktremove.c \
$(srcdir)/ktfns.c \
+ $(srcdir)/kt_any.c \
$(srcdir)/kt_file.c \
$(srcdir)/kt_srvtab.c \
$(srcdir)/read_servi.c

30
krb5-1.4.1-api.patch
View File

@ -1,30 +0,0 @@
Reference docs don't define what happens if you call krb5_realm_compare() with
malformed krb5_principal structures. Define a behavior which keeps it from
crashing if applications don't check ahead of time.
--- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2002-09-02 21:13:46.000000000 -0400
+++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2005-06-29 13:56:55.000000000 -0400
@@ -33,6 +33,13 @@
krb5_boolean KRB5_CALLCONV
krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)
{
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
+ if ((krb5_princ_realm(context, princ1) == NULL) ||
+ (krb5_princ_realm(context, princ2) == NULL))
+ return FALSE;
+
if (krb5_princ_realm(context, princ1)->length !=
krb5_princ_realm(context, princ2)->length ||
memcmp (krb5_princ_realm(context, princ1)->data,
@@ -49,6 +56,9 @@
register int i;
krb5_int32 nelem;
+ if ((princ1 == NULL) || (princ2 == NULL))
+ return FALSE;
+
nelem = krb5_princ_size(context, princ1);
if (nelem != krb5_princ_size(context, princ2))
return FALSE;

30
krb5-1.4.2-max_dgram_size.patch
View File

@ -1,30 +0,0 @@
--- krb5-1.4.2/src/lib/krb5/os/osconfig.c 2000-10-17 19:01:32.000000000 -0400
+++ krb5-1.4.2/src/lib/krb5/os/osconfig.c 2005-09-14 19:35:31.000000000 -0400
@@ -36,7 +36,7 @@
char *krb5_defkeyname = DEFAULT_KEYTAB_NAME;
-unsigned int krb5_max_dgram_size = MAX_DGRAM_SIZE;
+unsigned int krb5_max_dgram_size = -1;
unsigned int krb5_max_skdc_timeout = MAX_SKDC_TIMEOUT;
unsigned int krb5_skdc_timeout_shift = SKDC_TIMEOUT_SHIFT;
unsigned int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1;
--- krb5-1.4.2/src/lib/krb5/os/sendto_kdc.c 2005-07-20 18:52:33.000000000 -0400
+++ krb5-1.4.2/src/lib/krb5/os/sendto_kdc.c 2005-09-14 19:35:31.000000000 -0400
@@ -1043,6 +1043,16 @@
dprint("krb5int_sendto(message=%d@%p)\n", message->length, message->data);
+ if (krb5_max_dgram_size < 0) {
+ int tmp;
+ tmp = profile_get_integer(context->profile,
+ "libdefaults", "max_dgram_size", NULL,
+ MAX_DGRAM_SIZE, &krb5_max_dgram_size);
+ if ((tmp != 0) || (krb5_max_dgram_size < 0)) {
+ krb5_max_dgram_size = MAX_DGRAM_SIZE;
+ }
+ }
+
reply->data = 0;
reply->length = 0;

30
krb5-1.4.3-enospc.patch
View File

@ -1,30 +0,0 @@
If the error message is going to be ambiguous, try to give the user some clue
by returning the last error reported by the OS.
--- krb5-1.4.3/src/clients/kinit/kinit.c 2006-02-06 13:50:06.000000000 -0500
+++ krb5-1.4.3/src/clients/kinit/kinit.c 2006-02-06 13:49:41.000000000 -0500
@@ -34,6 +34,7 @@
#else
#undef HAVE_KRB524
#endif
+#include <errno.h>
#include <string.h>
#include <stdio.h>
#include <time.h>
@@ -846,8 +847,14 @@
code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
if (code) {
- com_err(progname, code, "when initializing cache %s",
- opts->k5_cache_name?opts->k5_cache_name:"");
+ if ((code == KRB5_CC_IO) && (errno != 0)) {
+ com_err(progname, code, "when initializing cache %s: %s",
+ opts->k5_cache_name?opts->k5_cache_name:"",
+ strerror(errno));
+ } else {
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ }
goto cleanup;
}

40
krb5-1.5-fclose.patch
View File

@ -1,40 +0,0 @@
Ensure that we don't accidentally attempt to use or fclose() a file which we
have already fclose()d.
--- krb5-1.5/src/lib/krb5/keytab/kt_file.c 2006-06-13 10:14:27.000000000 -0400
+++ krb5-1.5/src/lib/krb5/keytab/kt_file.c 2006-07-05 14:55:11.000000000 -0400
@@ -1083,29 +1083,32 @@
if (writevno) {
kt_vno = htons(krb5_kt_default_vno);
KTVERSION(id) = krb5_kt_default_vno;
if (!xfwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
- kerror = errno;
+ kerror = errno ? errno : EIO;
(void) krb5_unlock_file(context, fileno(KTFILEP(id)));
(void) fclose(KTFILEP(id));
+ KTFILEP(id) = 0;
return kerror;
}
} else {
/* gotta verify it instead... */
if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) {
if (feof(KTFILEP(id)))
kerror = KRB5_KEYTAB_BADVNO;
else
- kerror = errno;
+ kerror = errno ? errno : EIO;
(void) krb5_unlock_file(context, fileno(KTFILEP(id)));
(void) fclose(KTFILEP(id));
+ KTFILEP(id) = 0;
return kerror;
}
kt_vno = KTVERSION(id) = ntohs(kt_vno);
if ((kt_vno != KRB5_KT_VNO) &&
(kt_vno != KRB5_KT_VNO_1)) {
(void) krb5_unlock_file(context, fileno(KTFILEP(id)));
(void) fclose(KTFILEP(id));
+ KTFILEP(id) = 0;
return KRB5_KEYTAB_BADVNO;
}
}
return 0;

251
krb5-1.5-io.patch
View File

@ -1,251 +0,0 @@
We can get stuck if a write is going to block because both ends are writing and
neither end is reading. This is a port of a patch which aims to solve that
problem, but for now it's incomplete because we don't handle partial writes. A
proper non-blocking implementation would require a bit more work.
diff -ur krb5-1.5/src/appl/bsd/defines.h krb5-1.5/src/appl/bsd/defines.h
--- krb5-1.5/src/appl/bsd/defines.h 2003-01-01 05:13:20.000000000 -0500
+++ krb5-1.5/src/appl/bsd/defines.h 2006-07-21 15:11:44.000000000 -0400
@@ -34,6 +34,7 @@
enum kcmd_proto *protonum /* input and output */
);
+extern int rcmd_stream_has_unsent_data (void);
extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary);
extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary);
extern int getport (int * /* portnum */, int * /* addrfamily */);
diff -ur krb5-1.5/src/appl/bsd/kcmd.c krb5-1.5/src/appl/bsd/kcmd.c
--- krb5-1.5/src/appl/bsd/kcmd.c 2004-10-01 18:08:14.000000000 -0400
+++ krb5-1.5/src/appl/bsd/kcmd.c 2006-07-21 15:11:44.000000000 -0400
@@ -839,6 +839,11 @@
output = twrite;
}
+int rcmd_stream_has_unsent_data (void)
+{
+ return (nstored > 0);
+}
+
void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client,
protonum)
krb5_keyblock *in_keyblock;
@@ -1019,7 +1024,8 @@
cc = krb5_net_read(bsd_context, fd, &c, 1);
/* we should check for non-blocking here, but we'd have
to make it save partial reads as well. */
- if (cc <= 0) return cc; /* read error */
+ if (cc == 0) return nreturned; /* EOF */
+ if (cc < 0) return cc; /* read error */
if (cc == 1) {
if (c == 0 || !do_lencheck) break;
}
diff -ur krb5-1.5/src/appl/bsd/krsh.c krb5-1.5/src/appl/bsd/krsh.c
--- krb5-1.5/src/appl/bsd/krsh.c 2006-07-21 16:05:57.000000000 -0400
+++ krb5-1.5/src/appl/bsd/krsh.c 2006-07-21 15:19:05.000000000 -0400
@@ -128,10 +128,11 @@
char **argv0;
{
int rem, pid = 0;
- char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0;
+ char *host=0, *cp, **ap, buf[PIPE_BUF], *args, **argv = argv0, *user = 0;
register int cc;
struct passwd *pwd;
fd_set readfrom, ready;
+ fd_set writeto, ready_wr;
int one = 1;
struct servent *sp;
struct servent defaultservent;
@@ -548,9 +549,14 @@
FD_ZERO(&readfrom);
FD_SET(rfd2, &readfrom);
FD_SET(rem, &readfrom);
+ FD_ZERO(&writeto);
do {
+ int max_fd;
+ max_fd = (rfd2 > rem) ? rfd2 : rem;
+ max_fd = (max_fd > 2) ? max_fd : 2;
ready = readfrom;
- if (select(((rfd2 > rem) ? rfd2 : rem) + 1, &ready, 0, 0, 0) < 0) {
+ ready_wr = writeto;
+ if (select(max_fd + 1, &ready, &ready_wr, 0, 0) < 0) {
if (errno != EINTR) {
perror("select");
exit(1);
@@ -558,22 +564,38 @@
continue;
}
if (FD_ISSET(rfd2, &ready)) {
- errno = 0;
- cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1);
- if (cc <= 0) {
- if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
- FD_CLR(rfd2, &readfrom);
- } else
- (void) write(2, buf, (unsigned) cc);
+ FD_SET(2, &writeto);
+ }
+ if (FD_ISSET(2, &ready_wr)) {
+ do {
+ errno = 0;
+ cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1);
+ if (cc <= 0) {
+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) {
+ FD_CLR(rfd2, &readfrom);
+ break;
+ }
+ } else
+ (void) write(2, buf, (unsigned) cc);
+ } while (rcmd_stream_has_unsent_data());
+ FD_CLR(2, &writeto);
}
if (FD_ISSET(rem, &ready)) {
- errno = 0;
- cc = rcmd_stream_read(rem, buf, sizeof buf, 0);
- if (cc <= 0) {
- if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
- FD_CLR(rem, &readfrom);
- } else
- (void) write(1, buf, (unsigned) cc);
+ FD_SET(1, &writeto);
+ }
+ if (FD_ISSET(1, &ready_wr)) {
+ do {
+ errno = 0;
+ cc = rcmd_stream_read(rem, buf, sizeof buf, 0);
+ if (cc <= 0) {
+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) {
+ FD_CLR(rem, &readfrom);
+ break;
+ }
+ } else
+ (void) write(1, buf, (unsigned) cc);
+ } while (rcmd_stream_has_unsent_data());
+ FD_CLR(1, &writeto);
}
} while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom));
if (nflag == 0)
diff -ur krb5-1.5/src/appl/bsd/krshd.c krb5-1.5/src/appl/bsd/krshd.c
--- krb5-1.5/src/appl/bsd/krshd.c 2006-06-20 00:06:52.000000000 -0400
+++ krb5-1.5/src/appl/bsd/krshd.c 2006-07-21 16:02:12.000000000 -0400
@@ -633,7 +633,8 @@
short port;
int pv[2], pw[2], px[2], cc;
fd_set ready, readfrom;
- char buf[RCMD_BUFSIZ], sig;
+ fd_set ready_wr, writeto;
+ char buf[PIPE_BUF], sig;
struct sockaddr_storage localaddr;
#ifdef POSIX_SIGNALS
struct sigaction sa;
@@ -1261,6 +1262,10 @@
if (pw[0] > maxfd)
maxfd = pw[0];
+ if (px[1] > maxfd)
+ maxfd = px[1];
+ FD_ZERO(&writeto);
+
/* read from f, write to px[1] -- child stdin */
/* read from s, signal child */
/* read from pv[0], write to s -- child stderr */
@@ -1268,36 +1273,47 @@
do {
ready = readfrom;
- if (select(maxfd + 1, &ready, (fd_set *)0,
+ ready_wr = writeto;
+ if (select(maxfd + 1, &ready, &ready_wr,
(fd_set *)0, (struct timeval *)0) < 0) {
if (errno == EINTR) {
continue;
} else {
break;
- }
+ }
}
if (port&&FD_ISSET(pv[0], &ready)) {
+ FD_SET(s, &writeto);
+ FD_CLR(pv[0], &readfrom);
+ }
+ if (port&&FD_ISSET(s, &ready_wr)) {
/* read from the child stderr, write to the net */
errno = 0;
cc = read(pv[0], buf, sizeof (buf));
- if (cc <= 0) {
+ if ((cc <= 0) ||
+ (rcmd_stream_write(s, buf, (unsigned) cc, 1) != cc)) {
shutdown(s, 1+1);
- FD_CLR(pv[0], &readfrom);
} else {
- (void) rcmd_stream_write(s, buf, (unsigned) cc, 1);
+ FD_SET(pv[0], &readfrom);
}
+ FD_CLR(s, &writeto);
}
if (FD_ISSET(pw[0], &ready)) {
+ FD_SET(f, &writeto);
+ FD_CLR(pw[0], &readfrom);
+ }
+ if (FD_ISSET(f, &ready_wr)) {
/* read from the child stdout, write to the net */
errno = 0;
cc = read(pw[0], buf, sizeof (buf));
- if (cc <= 0) {
+ if ((cc <= 0) ||
+ (rcmd_stream_write(f, buf, (unsigned) cc, 0) != cc)) {
shutdown(f, 1+1);
- FD_CLR(pw[0], &readfrom);
} else {
- (void) rcmd_stream_write(f, buf, (unsigned) cc, 0);
+ FD_SET(pw[0], &readfrom);
}
+ FD_CLR(f, &writeto);
}
if (port&&FD_ISSET(s, &ready)) {
/* read from the alternate channel, signal the child */
@@ -1315,12 +1331,15 @@
}
}
if (FD_ISSET(f, &ready)) {
+ FD_SET(px[1], &writeto);
+ FD_CLR(f, &readfrom);
+ }
+ if (FD_ISSET(px[1], &ready_wr)) {
/* read from the net, write to child stdin */
errno = 0;
cc = rcmd_stream_read(f, buf, sizeof(buf), 0);
if (cc <= 0) {
(void) close(px[1]);
- FD_CLR(f, &readfrom);
} else {
int wcc;
wcc = write(px[1], buf, (unsigned) cc);
@@ -1328,17 +1347,22 @@
/* pipe closed, don't read any more */
/* might check for EPIPE */
(void) close(px[1]);
- FD_CLR(f, &readfrom);
- } else if (wcc != cc) {
- syslog(LOG_INFO, "only wrote %d/%d to child",
- wcc, cc);
+ } else {
+ if (wcc != cc)
+ syslog(LOG_INFO, "only wrote %d/%d to child",
+ wcc, cc);
+ FD_SET(f, &readfrom);
}
}
+ FD_CLR(px[1], &writeto);
}
} while ((port&&FD_ISSET(s, &readfrom)) ||
FD_ISSET(f, &readfrom) ||
(port&&FD_ISSET(pv[0], &readfrom) )||
- FD_ISSET(pw[0], &readfrom));
+ FD_ISSET(pw[0], &readfrom) ||
+ (port&&FD_ISSET(s, &writeto)) ||
+ FD_ISSET(f, &writeto) ||
+ FD_ISSET(px[1], &writeto));
ignore_signals();
#ifdef KERBEROS
syslog(LOG_INFO ,

46
krb5-1.5-kt_default_name.patch
View File

@ -1,46 +0,0 @@
--- krb5-1.5/src/kadmin/cli/kadmin.c.kt_default_name 2006-10-18 14:13:18.000000000 -0400
+++ krb5-1.5/src/kadmin/cli/kadmin.c 2006-10-18 14:13:35.000000000 -0400
@@ -533,15 +533,6 @@
exit(1);
}
- /* register the WRFILE keytab type and set it as the default */
- {
-#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab"
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- extern char *krb5_defkeyname;
- krb5_defkeyname = DEFAULT_KEYTAB;
- }
-
return query;
}
--- krb5-1.5/src/kadmin/cli/keytab.c.kt_default_name 2006-10-18 14:07:36.000000000 -0400
+++ krb5-1.5/src/kadmin/cli/keytab.c 2006-10-18 14:51:21.000000000 -0400
@@ -69,15 +69,20 @@
krb5_keytab *keytab)
{
int code;
+ char filename[FILENAME_MAX];
if (*keytab_str == NULL) {
- /* XXX krb5_defkeyname is an internal library global and
- should go away */
- if (! (*keytab_str = strdup(krb5_defkeyname))) {
- com_err(whoami, ENOMEM, "while creating keytab name");
+ code = krb5_kt_default_name(my_context, filename, sizeof(filename));
+ if (code != 0) {
+ com_err(whoami, code, "while determining default keytab name");
+ return 1;
+ }
+ *keytab_str = strdup(filename);
+ if (*keytab_str == NULL) {
+ com_err(whoami, ENOMEM, "while creating default keytab name");
return 1;
}
- code = krb5_kt_default(my_context, keytab);
+ code = krb5_kt_resolve(my_context, *keytab_str, keytab);
if (code != 0) {
com_err(whoami, code, "while opening default keytab");
free(*keytab_str);

4175
krb5-1.5.1-1.6-pal.patch
View File

File diff suppressed because it is too large Load Diff

50
krb5-1.6-buildconf.patch
View File

@ -1,50 +0,0 @@
Don't let an RPATH into any of the binaries we build here. While we're
tinkering with linker flags, prune out the -L/usr/lib* and PIE flags where
they might leak out and affect apps which use the libraries.
--- krb5-1.5/src/aclocal.m4 2006-05-24 06:29:25.000000000 -0400
+++ krb5-1.5/src/aclocal.m4 2006-07-05 14:31:04.000000000 -0400
@@ -1184,6 +1184,7 @@
[AC_REQUIRE([KRB5_LIB_AUX])dnl
AC_REQUIRE([KRB5_AC_NEED_LIBGEN])dnl
AC_SUBST(CC_LINK)
+RPATH_FLAG=
AC_SUBST(RPATH_FLAG)
AC_SUBST(DEPLIBEXT)])
--- krb5-1.5/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400
+++ krb5-1.5/src/krb5-config.in 2006-07-05 14:31:04.000000000 -0400
@@ -186,6 +186,11 @@
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
-e 's#\$(CFLAGS)#'"$CFLAGS"'#'`
+ if test `dirname $libdir` = /usr ; then
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
+ fi
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"`
+
if test $library = 'kdb'; then
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
library=krb5
--- krb5-1.5/src/config/shlib.conf 2006-06-16 01:53:34.000000000 -0400
+++ krb5-1.5/src/config/shlib.conf 2006-07-05 14:31:04.000000000 -0400
@@ -371,14 +371,15 @@
# Use objdump -x to examine the fields of the library
LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(LDFLAGS)'
#
- LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(SRCTOP)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
+ LDCOMBINE_TAIL='-Wl,--version-script binutils.versions -Wl,-E && $(PERL) -w $(SRCTOP)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
SHLIB_EXPORT_FILE_DEP=binutils.versions
# For cases where we do have dependencies on other libraries
# built in this tree...
- SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+ SHLIB_EXPFLAGS='$(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
PROFFLAGS=-pg
- RPATH_FLAG='-Wl,-rpath -Wl,'
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)'
+ RPATH_FLAG='-L'
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(CFLAGS) -pie $(LDFLAGS)'
+ INSTALL_SHLIB='${INSTALL} -m755'
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; '

14
krb5-1.6-ldap-init.patch
View File

@ -1,14 +0,0 @@
Index: src/lib/krb5/asn.1/ldap_key_seq.c
===================================================================
--- src/lib/krb5/asn.1/ldap_key_seq.c (revision 19509)
+++ src/lib/krb5/asn.1/ldap_key_seq.c (working copy)
@@ -341,7 +341,8 @@
if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */
ret = decode_tagged_octetstring (&slt, 1, &keylen,
&key->key_data_contents[1]); checkerr;
- }
+ } else
+ keylen = 0;
safe_syncbuf (&subbuf, &slt);
key->key_data_length[1] = keylen; /* XXX range check?? */

22
krb5-1.6-ldap-man.patch
View File

@ -1,22 +0,0 @@
Index: src/config-files/krb5.conf.M
===================================================================
--- src/config-files/krb5.conf.M (revision 19507)
+++ src/config-files/krb5.conf.M (working copy)
@@ -600,7 +600,7 @@
objects used for starting the Kerberos servers. This value is used if no
service password file is mentioned in the configuration section under dbmodules.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.
This value is used if no LDAP servers are mentioned in the configuration
@@ -641,7 +641,7 @@
This LDAP specific tag indicates the file containing the stashed passwords for the
objects used for starting the Kerberos servers.
-.IP ldap_server
+.IP ldap_servers
This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers
is whitespace-separated. The LDAP server is specified by a LDAP URI.

15
krb5-1.6-nodeplibs.patch
View File

@ -1,15 +0,0 @@
Omit extra libraries because their interfaces aren't exposed to applications
by libkrb5. Discussion on krbdev suggests that this will be controlled one
way or another by the --deps flag in future upstream releases.
--- krb5-1.6/src/krb5-config.in.extralibs 2007-05-15 15:00:15.000000000 -0500
+++ krb5-1.6/src/krb5-config.in 2007-05-15 15:07:04.000000000 -0500
@@ -222,7 +222,7 @@
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err"
fi
echo $lib_flags

92
krb5-1.6-sort-of-static.patch
View File

@ -1,92 +0,0 @@
Allow static libraries to be built. Force plugins to only be built as
shared objects. This doesn't *really* fix static linking, but it should
parallel glibc and its nsswitch modules -- applications can pull in
static copies of this library, but they'll still try to use any
available plugins. The current set of plugin interfaces include KDC
location (used by clients), preauthentication plugins (used by clients
and KDCs), and KDB plugins (used by KDCs).
N.B. This is only a stop-gap for systems which used to include krb5 1.5
(which we packaged with static libraries enabled) and are now being
upgraded to 1.6, and I expect to stop bothering for future releases.
--- krb5-1.6/src/plugins/kdb/db2/configure.in 2005-10-27 05:38:05.000000000 -0400
+++ krb5-1.6/src/plugins/kdb/db2/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,5 +1,6 @@
K5_AC_INIT(configure.in)
enable_shared=yes
+enable_static=no
build_dynobj=yes
CONFIG_RULES
AC_CHECK_HEADERS(unistd.h)
--- krb5-1.6/src/plugins/kdb/db2/libdb2/configure.in 2006-04-24 20:29:56.000000000 -0400
+++ krb5-1.6/src/plugins/kdb/db2/libdb2/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,5 +1,7 @@
K5_AC_INIT(db/db.c)
AC_CONFIG_HEADER(include/config.h include/db-config.h)
+enable_shared=yes
+enable_static=no
build_dynobj=yes
CONFIG_RULES
--- krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/configure.in 2006-08-31 17:17:34.000000000 -0400
+++ krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,4 +1,7 @@
K5_AC_INIT(configure.in)
+enable_shared=yes
+enable_static=no
+build_dynobj=yes
CONFIG_RULES
AC_CHECK_HEADERS(unistd.h)
AC_TYPE_MODE_T
--- krb5-1.6/src/plugins/locate/python/configure.in 2006-01-10 19:36:36.000000000 -0500
+++ krb5-1.6/src/plugins/locate/python/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,5 +1,6 @@
K5_AC_INIT(configure.in)
enable_shared=yes
+enable_static=no
build_dynobj=yes
CONFIG_RULES
AC_CHECK_HEADERS(Python.h python2.3/Python.h)
--- krb5-1.6/src/plugins/preauth/wpse/configure.in 2006-10-03 15:07:17.000000000 -0400
+++ krb5-1.6/src/plugins/preauth/wpse/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,5 +1,6 @@
K5_AC_INIT(configure.in)
enable_shared=yes
+enable_static=no
build_dynobj=yes
CONFIG_RULES
--- krb5-1.6/src/plugins/preauth/cksum_body/configure.in 2006-10-03 15:07:17.000000000 -0400
+++ krb5-1.6/src/plugins/preauth/cksum_body/configure.in 2007-02-28 14:51:14.000000000 -0500
@@ -1,5 +1,6 @@
K5_AC_INIT(configure.in)
enable_shared=yes
+enable_static=no
build_dynobj=yes
CONFIG_RULES
--- krb5-1.6/src/aclocal.m4 2006-10-02 18:50:10.000000000 -0400
+++ krb5-1.6/src/aclocal.m4 2007-02-28 14:51:14.000000000 -0500
@@ -1226,10 +1226,6 @@
AC_ARG_ENABLE([static],, ,
[enable_static=$default_static])
-if test "$enable_static" = yes; then
- AC_MSG_ERROR([Sorry, static libraries do not work in this release.])
-fi
-
if test "$enable_static" = no && test "$krb5_force_static" != yes; then
AC_MSG_NOTICE([disabling static libraries])
LIBLINKS=
@@ -1254,10 +1250,6 @@
, ,
[enable_shared=$default_shared])
-if test "$enable_shared" != yes; then
- AC_MSG_ERROR([Sorry, this release builds only shared libraries, cannot disable them.])
-fi
-
if test "$enable_shared" = yes; then
case "$SHLIBEXT" in
.so-nobuild)

1241
krb5-1.6.1-pam.patch
View File

File diff suppressed because it is too large Load Diff

68
krb5-1.6.2-dirsrv-accountlock.patch
View File

@ -1,68 +0,0 @@
Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. RT#5891.
diff -ur krb5-1.6.2.orig/src/aclocal.m4 krb5-1.6.2/src/aclocal.m4
--- krb5-1.6.2.orig/src/aclocal.m4 2007-11-20 11:39:51.000000000 -0500
+++ krb5-1.6.2/src/aclocal.m4 2007-11-20 12:09:56.000000000 -0500
@@ -1798,6 +1798,12 @@
yes | no) ;;
*) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;;
esac], with_edirectory=no)dnl
+AC_ARG_WITH([dirsrv],
+[ --with-dirsrv compile Red Hat/Fedora/Netscape Directory Server database backend module],
+[case "$withval" in
+ yes | no) ;;
+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;;
+esac], with_dirsrv=no)dnl
if test $with_ldap = yes; then
if test $with_edirectory = yes; then
@@ -1809,6 +1815,10 @@
AC_MSG_NOTICE(enabling eDirectory database backend module support)
OPENLDAP_PLUGIN=yes
AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.])
+elif test $with_dirsrv = yes; then
+ AC_MSG_NOTICE(enabling Red Hat/Fedora/Netscape Directory Server database backend module support)
+ OPENLDAP_PLUGIN=yes
+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.])
else
: # neither enabled
dnl AC_MSG_NOTICE(disabling ldap backend module support)
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2006-12-21 23:28:09.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2007-11-20 12:04:10.000000000 -0500
@@ -2141,6 +2141,22 @@
}
}
#endif
+#ifdef HAVE_DIRSRV
+ {
+ krb5_timestamp expiretime=0;
+ char *is_login_disabled=NULL;
+
+ /* LOGIN DISABLED */
+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled,
+ &attr_present)) != 0)
+ goto cleanup;
+ if (attr_present == TRUE) {
+ if (strcasecmp(is_login_disabled, "TRUE")== 0)
+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX;
+ free (is_login_disabled);
+ }
+ }
+#endif
if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0)
goto cleanup;
diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c
--- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2007-01-03 19:27:26.000000000 -0500
+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2007-11-20 12:00:27.000000000 -0500
@@ -57,6 +57,9 @@
"loginexpirationtime",
"logindisabled",
#endif
+#ifdef HAVE_DIRSRV
+ "nsaccountlock",
+#endif
"loginexpirationtime",
"logindisabled",
"modifytimestamp",

13
krb5-1.6.3-lucid-acceptor.patch
View File

@ -1,13 +0,0 @@
From Kevin Coffman, via the nfs4 mailing list.
diff -up src/lib/gssapi/krb5/lucid_context.c ./src/lib/gssapi/krb5/lucid_context.c
--- src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:11.000000000 -0400
+++ src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:01.000000000 -0400
@@ -231,7 +231,7 @@ make_external_lucid_ctx_v1(
&lctx->cfx_kd.ctx_key)))
goto error_out;
if (gctx->have_acceptor_subkey) {
- if ((retval = copy_keyblock_to_lucid_key(gctx->enc,
+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey,
&lctx->cfx_kd.acceptor_subkey)))
goto error_out;
lctx->cfx_kd.have_acceptor_subkey = 1;

860
krb5-1.6.3-selinux-label.patch
View File

@ -1,860 +0,0 @@
SELinux bases access to files mainly on the domain of the requesting
process and the context applied to the file.
In many cases, applications needn't be SELinux aware to work properly,
because SELinux can apply a default label to a file based on the label
of the directory in which it's created.
In the case of files such as /etc/krb5.keytab, however, this isn't
sufficient, as /etc/krb5.keytab will almost always need given a label
which differs from that of /etc/issue or /etc/resolv.conf.
To give the file the correct label, we can either force a "restorecon"
call to fix a file's label after it's created, or create the file with
the right label, as we do here. We lean on THREEPARAMOPEN and define a
similar macro named WRITABLEFOPEN with which we replace several uses of
fopen().
diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4
--- krb5-1.6.3/src/aclocal.m4 2008-03-06 19:04:59.000000000 -0500
+++ krb5-1.6.3/src/aclocal.m4 2008-03-06 17:31:21.000000000 -0500
@@ -102,6 +102,7 @@
dnl
KRB5_AC_PRAGMA_WEAK_REF
WITH_LDAP
+KRB5_WITH_SELINUX
KRB5_LIB_PARAMS
KRB5_AC_INITFINI
KRB5_AC_ENABLE_THREADS
@@ -1902,3 +1903,50 @@
AC_SUBST(PAM_MAN)
AC_SUBST(NON_PAM_MAN)
])dnl
+dnl
+dnl Use libselinux to set file contexts on newly-created files.
+dnl
+AC_DEFUN(KRB5_WITH_SELINUX,[
+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])],
+ withselinux="$withval",withselinux=auto)
+old_LIBS="$LIBS"
+if test "$withselinux" != no ; then
+ AC_MSG_RESULT([checking for libselinux...])
+ SELINUX_LIBS=
+ AC_CHECK_HEADERS(selinux/selinux.h)
+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.])
+ fi
+ fi
+
+ LIBS=
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xno ; then
+ AC_CHECK_LIB(selinux,setfscreatecon)
+ unset ac_cv_func_setfscreatecon
+ AC_CHECK_FUNCS(setfscreatecon)
+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then
+ SELINUX_LIBS="$LIBS"
+ else
+ if test "$withselinux" = auto ; then
+ AC_MSG_RESULT([Unable to locate libselinux.])
+ withselinux=no
+ else
+ AC_MSG_ERROR([Unable to locate libselinux.])
+ fi
+ fi
+ fi
+ if test "$withselinux" != no ; then
+ AC_MSG_RESULT([Using SELinux.])
+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.])
+ SELINUX_LIBS="$LIBS"
+ fi
+fi
+LIBS="$old_LIBS"
+AC_SUBST(SELINUX_LIBS)
+])dnl
diff -ur krb5-1.6.3/src/appl/bsd/configure.in krb5-1.6.3/src/appl/bsd/configure.in
--- krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 19:04:59.000000000 -0500
+++ krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 18:05:45.000000000 -0500
@@ -25,6 +25,7 @@
LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg"
)))
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
dnl
dnl Make our operating system-specific security checks and definitions for
dnl login.
diff -ur krb5-1.6.3/src/appl/gssftp/configure.in krb5-1.6.3/src/appl/gssftp/configure.in
--- krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 19:04:59.000000000 -0500
+++ krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 18:08:03.000000000 -0500
@@ -18,6 +18,7 @@
AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv)
AC_CHECK_LIB(crypt,crypt) dnl
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
KRB5_AC_LIBUTIL
dnl
dnl copied from appl/bsd/configure.in
diff -ur krb5-1.6.3/src/appl/telnet/configure.in krb5-1.6.3/src/appl/telnet/configure.in
--- krb5-1.6.3/src/appl/telnet/configure.in 2006-03-27 23:35:02.000000000 -0500
+++ krb5-1.6.3/src/appl/telnet/configure.in 2008-03-06 18:08:49.000000000 -0500
@@ -163,6 +163,7 @@
if test $krb5_cv_sys_setpgrp_two = yes; then
AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments])
fi
+KRB5_USE_SELINUX
dnl
KRB5_NEED_PROTO([#include <stdlib.h>],unsetenv,1)
dnl KRB5_NEED_PROTO([#include <stdlib.h>],setenv,1)
diff -ur krb5-1.6.3/src/config/pre.in krb5-1.6.3/src/config/pre.in
--- krb5-1.6.3/src/config/pre.in 2008-03-06 19:04:59.000000000 -0500
+++ krb5-1.6.3/src/config/pre.in 2008-03-06 17:53:07.000000000 -0500
@@ -181,6 +181,7 @@
CLNTLIBS = @CLNTLIBS@
CLNTDEPLIBS = @CLNTDEPLIBS@
PAM_LIBS = @PAM_LIBS@
+SELINUX_LIBS=@SELINUX_LIBS@
INSTALL=@INSTALL@
INSTALL_STRIP=
@@ -391,7 +392,7 @@
# HESIOD_LIBS is -lhesiod...
HESIOD_LIBS = @HESIOD_LIBS@
-KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB)
+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS)
KDB5_LIBS = $(KDB5_LIB)
GSS_LIBS = $(GSS_KRB5_LIB)
diff -ur krb5-1.6.3/src/configure.in krb5-1.6.3/src/configure.in
--- krb5-1.6.3/src/configure.in 2008-03-06 19:04:59.000000000 -0500
+++ krb5-1.6.3/src/configure.in 2008-03-06 17:39:53.000000000 -0500
@@ -945,6 +945,8 @@
KRB5_WITH_PAM
+KRB5_WITH_SELINUX
+
AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config])
mansysconfdir=$sysconfdir
diff -ur krb5-1.6.3/src/include/autoconf.h.in krb5-1.6.3/src/include/autoconf.h.in
--- krb5-1.6.3/src/include/autoconf.h.in 2007-10-21 23:35:17.000000000 -0400
+++ krb5-1.6.3/src/include/autoconf.h.in 2008-03-06 17:39:13.000000000 -0500
@@ -358,6 +358,9 @@
/* Define to 1 if you have the `sched_yield' function. */
#undef HAVE_SCHED_YIELD
+/* Define to 1 if you have the <selinux/selinux.h> header file. */
+#undef HAVE_SELINUX_SELINUX_H
+
/* Define to 1 if you have the <semaphore.h> header file. */
#undef HAVE_SEMAPHORE_H
@@ -370,6 +373,9 @@
/* Define to 1 if you have the `setegid' function. */
#undef HAVE_SETEGID
+/* Define to 1 if you have the `setfscreatecon' function. */
+#undef HAVE_SETFSCREATECON
+
/* Define to 1 if you have the `setenv' function. */
#undef HAVE_SETENV
@@ -695,6 +701,10 @@
/* Define if the KDC should use a replay cache */
#undef USE_RCACHE
+/* Define if Kerberos-aware tools should set SELinux file contexts when
+ creating files. */
+#undef USE_SELINUX
+
/* Define if sigprocmask should be used */
#undef USE_SIGPROCMASK
diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h
--- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400
+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500
@@ -128,6 +128,7 @@
typedef UINT64_TYPE krb5_ui_8;
typedef INT64_TYPE krb5_int64;
+#include "k5-label.h"
#define DEFAULT_PWD_STRING1 "Enter password"
#define DEFAULT_PWD_STRING2 "Re-enter password for verification"
diff -ur krb5-1.6.3/src/include/krb5/krb5.hin krb5-1.6.3/src/include/krb5/krb5.hin
--- krb5-1.6.3/src/include/krb5/krb5.hin 2007-09-17 23:36:09.000000000 -0400
+++ krb5-1.6.3/src/include/krb5/krb5.hin 2008-03-06 18:17:29.000000000 -0500
@@ -91,6 +91,12 @@
#define THREEPARAMOPEN(x,y,z) open(x,y,z)
#endif
+#if KRB5_PRIVATE
+#ifndef WRITABLEFOPEN
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#endif
+#endif
+
#define KRB5_OLD_CRYPTO
#include <stdlib.h>
diff -ur krb5-1.6.3/src/kadmin/dbutil/dump.c krb5-1.6.3/src/kadmin/dbutil/dump.c
--- krb5-1.6.3/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500
+++ krb5-1.6.3/src/kadmin/dbutil/dump.c 2008-03-06 18:33:44.000000000 -0500
@@ -1148,7 +1148,7 @@
* want to get into.
*/
unlink(ofile);
- if (!(f = fopen(ofile, "w"))) {
+ if (!(f = WRITABLEFOPEN(ofile, "w"))) {
fprintf(stderr, ofopen_error,
programname, ofile, error_message(errno));
exit_status++;
diff -ur krb5-1.6.3/src/kadmin/dbutil/dumpv4.c krb5-1.6.3/src/kadmin/dbutil/dumpv4.c
--- krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2002-11-05 19:42:57.000000000 -0500
+++ krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2008-03-06 18:33:50.000000000 -0500
@@ -324,7 +324,7 @@
* want to get into.
*/
unlink(outname);
- if (!(f = fopen(outname, "w"))) {
+ if (!(f = WRITABLEFOPEN(outname, "w"))) {
com_err(argv[0], errno,
"While opening file %s for writing", outname);
exit_status++;
diff -ur krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c
--- krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2005-10-12 16:48:36.000000000 -0400
+++ krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2008-03-06 18:34:19.000000000 -0500
@@ -520,7 +520,7 @@
umask(0077); /*Changing umask for all of ktutil is OK
* We don't ever write out anything that should use
* default umask.*/
- fp = fopen(name, "w");
+ fp = WRITABLEFOPEN(name, "w");
if (!fp) {
retval = EIO;
goto free_pruned;
diff -ur krb5-1.6.3/src/krb5-config.in krb5-1.6.3/src/krb5-config.in
--- krb5-1.6.3/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400
+++ krb5-1.6.3/src/krb5-config.in 2008-03-06 17:29:57.000000000 -0500
@@ -39,6 +39,7 @@
RPATH_FLAG='@RPATH_FLAG@'
PTHREAD_CFLAGS='@PTHREAD_CFLAGS@'
DL_LIB='@DL_LIB@'
+SELINUX_LIBS='@SELINUX_LIBS@'
LIBS='@LIBS@'
GEN_LIB=@GEN_LIB@
@@ -217,7 +218,7 @@
fi
if test $library = 'krb5'; then
- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB"
+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB"
fi
echo $lib_flags
diff -ur krb5-1.6.3/src/lib/kadm5/logger.c krb5-1.6.3/src/lib/kadm5/logger.c
--- krb5-1.6.3/src/lib/kadm5/logger.c 2007-04-04 17:08:05.000000000 -0400
+++ krb5-1.6.3/src/lib/kadm5/logger.c 2008-03-06 18:30:32.000000000 -0500
@@ -425,7 +425,7 @@
* Check for append/overwrite, then open the file.
*/
if (cp[4] == ':' || cp[4] == '=') {
- f = fopen(&cp[5], (cp[4] == ':') ? "a+" : "w");
+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a+" : "w");
if (f) {
log_control.log_entries[i].lfu_filep = f;
log_control.log_entries[i].log_type = K_LOG_FILE;
@@ -959,7 +959,7 @@
* In case the old logfile did not get moved out of the
* way, open for append to prevent squashing the old logs.
*/
- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+");
+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+");
if (f) {
log_control.log_entries[lindex].lfu_filep = f;
} else {
diff -ur krb5-1.6.3/src/lib/kdb/kdb_default.c krb5-1.6.3/src/lib/kdb/kdb_default.c
--- krb5-1.6.3/src/lib/kdb/kdb_default.c 2006-10-11 22:39:14.000000000 -0400
+++ krb5-1.6.3/src/lib/kdb/kdb_default.c 2008-03-06 18:31:18.000000000 -0500
@@ -161,9 +161,9 @@
oumask = umask(077);
#endif
#ifdef ANSI_STDIO
- if (!(kf = fopen(keyfile, "wb")))
+ if (!(kf = WRITABLEFOPEN(keyfile, "wb")))
#else
- if (!(kf = fopen(keyfile, "w")))
+ if (!(kf = WRITABLEFOPEN(keyfile, "w")))
#endif
{
int e = errno;
diff -ur krb5-1.6.3/src/lib/krb4/klog.c krb5-1.6.3/src/lib/krb4/klog.c
--- krb5-1.6.3/src/lib/krb4/klog.c 2006-03-11 17:23:28.000000000 -0500
+++ krb5-1.6.3/src/lib/krb4/klog.c 2008-03-06 18:48:01.000000000 -0500
@@ -24,6 +24,7 @@
* or implied warranty.
*/
+#include "k5-int.h"
#include "krb.h"
#include "autoconf.h"
#ifdef HAVE_TIME_H
@@ -96,7 +97,7 @@
if (!logtype_array[type])
return(logtxt);
- if ((logfile = fopen(log_name,"a")) == NULL)
+ if ((logfile = WRITABLEFOPEN(log_name,"a")) == NULL)
return(logtxt);
(void) time(&now);
diff -ur krb5-1.6.3/src/lib/krb4/kparse.c krb5-1.6.3/src/lib/krb4/kparse.c
--- krb5-1.6.3/src/lib/krb4/kparse.c 2006-06-16 02:58:42.000000000 -0400
+++ krb5-1.6.3/src/lib/krb4/kparse.c 2008-03-06 18:35:18.000000000 -0500
@@ -583,7 +583,7 @@
FILE *fp;
if (--argc) {
- fp = fopen(*++argv,"ra");
+ fp = WRITABLEOPEN(*++argv,"ra");
if (fp == (FILE *)NULL) {
fprintf(stderr,"can\'t open \"%s\"\n",*argv);
}
diff -ur krb5-1.6.3/src/lib/krb4/log.c krb5-1.6.3/src/lib/krb4/log.c
--- krb5-1.6.3/src/lib/krb4/log.c 2006-03-11 17:23:28.000000000 -0500
+++ krb5-1.6.3/src/lib/krb4/log.c 2008-03-06 18:47:49.000000000 -0500
@@ -30,6 +30,7 @@
krb_set_logfile, or change all the invokers. */
#endif
+#include "k5-int.h"
#include "krb.h"
#include "autoconf.h"
#ifdef HAVE_TIME_H
@@ -79,7 +80,7 @@
va_start(args, format);
- if ((logfile = fopen(log_name,"a")) != NULL) {
+ if ((logfile = WRITABLEFOPEN(log_name,"a")) != NULL) {
(void) time(&now);
tm = localtime(&now);
diff -ur krb5-1.6.3/src/lib/krb5/keytab/kt_file.c krb5-1.6.3/src/lib/krb5/keytab/kt_file.c
--- krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2007-08-31 17:38:41.000000000 -0400
+++ krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2008-03-06 18:19:56.000000000 -0500
@@ -1062,7 +1062,7 @@
KTCHECKLOCK(id);
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id),
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id),
(mode == KRB5_LOCKMODE_EXCLUSIVE) ?
fopen_mode_rbplus : fopen_mode_rb);
if (!KTFILEP(id)) {
@@ -1070,7 +1070,7 @@
/* try making it first time around */
krb5_create_secure_file(context, KTFILENAME(id));
errno = 0;
- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus);
+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus);
if (!KTFILEP(id))
return errno ? errno : EMFILE;
writevno = 1;
diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c
--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2000-07-02 23:43:42.000000000 -0400
+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2008-03-06 18:27:37.000000000 -0500
@@ -58,6 +58,7 @@
#include <string.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "btree.h"
@@ -201,7 +202,7 @@
goto einval;
}
- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0)
+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
goto err;
} else {
diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c
--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2006-06-14 22:35:44.000000000 -0400
+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2008-03-06 18:29:17.000000000 -0500
@@ -51,6 +51,7 @@
#include <assert.h>
#endif
+#include "k5-int.h"
#include "db-int.h"
#include "hash.h"
#include "page.h"
@@ -140,7 +141,7 @@
new_table = 1;
}
if (file) {
- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1)
+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1)
RETURN_ERROR(errno, error0);
(void)fcntl(hashp->fp, F_SETFD, 1);
}
diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c
--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 1998-01-21 11:33:31.000000000 -0500
+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2008-03-06 18:27:01.000000000 -0500
@@ -51,6 +51,7 @@
#include <stdio.h>
#include <unistd.h>
+#include "k5-int.h"
#include "db-int.h"
#include "recno.h"
@@ -68,7 +69,7 @@
int rfd, sverrno;
/* Open the user's file -- if this fails, we're done. */
- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0)
+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0)
return (NULL);
/* Create a btree in memory (backed by disk). */
--- krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:41.000000000 -0400
+++ krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:45.000000000 -0400
@@ -326,8 +326,8 @@
* should be opened read/write so that write locking can work with
* POSIX systems
*/
- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) {
- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) {
+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) {
retval = errno;
goto err_out;
}
diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c
--- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400
+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500
@@ -29,6 +29,7 @@
#endif
#include "k5-platform.h"
+#include "k5-label.h"
struct global_shared_profile_data {
/* This is the head of the global list of shared trees */
@@ -419,7 +420,7 @@
errno = 0;
- f = fopen(new_file, "w");
+ f = WRITABLEFOPEN(new_file, "w");
if (!f) {
retval = errno;
if (retval == 0)
diff -ur krb5-1.6.3/src/util/support/libkrb5support.exports krb5-1.6.3/src/util/support/libkrb5support.exports
--- krb5-1.6.3/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400
+++ krb5-1.6.3/src/util/support/libkrb5support.exports 2008-03-06 17:33:30.000000000 -0500
@@ -32,3 +32,6 @@
krb5int_clear_error
krb5int_set_error_info_callout_fn
krb5int_gmt_mktime
+krb5int_labeled_open
+krb5int_labeled_fopen
+krb5int_labeled_creat
diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Makefile.in
--- krb5-1.6.3/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400
+++ krb5-1.6.3/src/util/support/Makefile.in 2008-03-06 17:33:30.000000000 -0500
@@ -27,6 +27,7 @@
STLIBOBJS= \
threads.o \
+ selinux.o \
init-addrinfo.o \
plugins.o \
errors.o \
@@ -55,7 +56,7 @@
$(srcdir)/fake-addrinfo.c
SHLIB_EXPDEPS =
# Add -lm if dumping thread stats, for sqrt.
-SHLIB_EXPLIBS= $(LIBS) $(DL_LIB)
+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB)
SHLIB_DIRS=
SHLIB_RDIRS=$(KRB5_LIBDIR)
--- krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:37.000000000 -0500
+++ krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:28.000000000 -0500
@@ -1083,7 +1083,7 @@
/* Create a temporary file which contains all the entries except the
entry for the given service dn */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "while deleting entry from file %s", file_name);
goto cleanup;
@@ -1764,7 +1764,7 @@
/* TODO: file lock for the service password file */
/* set password in the file */
- pfile = fopen(file_name, "r+");
+ pfile = WRITABLEFOPEN(file_name, "r+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s", file_name);
goto cleanup;
@@ -1806,7 +1806,7 @@
sprintf(tmp_file,"%s.%s",file_name,"tmp");
omask = umask(077);
- newfile = fopen(tmp_file, "w+");
+ newfile = WRITABLEFOPEN(tmp_file, "w+");
umask(omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
@@ -2031,7 +2031,7 @@
/* set password in the file */
old_mode = umask(0177);
- pfile = fopen(file_name, "a+");
+ pfile = WRITABLEFOPEN(file_name, "a+");
if (pfile == NULL) {
com_err(me, errno, "Failed to open file %s: %s", file_name,
strerror (errno));
@@ -2082,7 +2082,7 @@
sprintf(tmp_file,"%s.%s",file_name,"tmp");
omask = umask(077);
- newfile = fopen(tmp_file, "w");
+ newfile = WRITABLEFOPEN(tmp_file, "w");
umask (omask);
if (newfile == NULL) {
com_err(me, errno, "Error creating file %s", tmp_file);
--- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400
@@ -0,0 +1,275 @@
+/*
+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * Redistributions of source code must retain the above copyright notice, this
+ * list of conditions and the following disclaimer.
+ *
+ * Redistributions in binary form must reproduce the above copyright notice,
+ * this list of conditions and the following disclaimer in the documentation
+ * and/or other materials provided with the distribution.
+ *
+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * File-opening wrappers for creating correctly-labeled files. So far, we can
+ * assume that this is Linux-specific, so we make many simplifying assumptions.
+ */
+
+#include "../../include/autoconf.h"
+
+#ifdef USE_SELINUX
+
+#include <k5-label.h>
+#include <k5-thread.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <pthread.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <selinux/selinux.h>
+
+/* #define DEBUG 1 */
+
+/* Mutex used to serialize use of the process-global file creation context. */
+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER;
+
+/* Make sure we finish initializing that mutex before attempting to use it. */
+k5_once_t labeled_once = K5_ONCE_INIT;
+static void
+label_mutex_init(void)
+{
+ k5_mutex_finish_init(&labeled_mutex);
+}
+
+static security_context_t
+push_fscreatecon(const char *pathname, mode_t mode)
+{
+ security_context_t previous, next;
+ const char *fullpath;
+
+ previous = NULL;
+ if (is_selinux_enabled()) {
+ if (getfscreatecon(&previous) == 0) {
+ char *genpath;
+ genpath = NULL;
+ if (pathname[0] != '/') {
+ char *wd;
+ size_t len;
+ len = 0;
+ wd = getcwd(NULL, len);
+ if (wd == NULL) {
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ len = strlen(wd) + 1 + strlen(pathname) + 1;
+ genpath = malloc(len);
+ if (genpath == NULL) {
+ free(wd);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ sprintf(genpath, "%s/%s", wd, pathname);
+ free(wd);
+ fullpath = genpath;
+ } else {
+ fullpath = pathname;
+ }
+ next = NULL;
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Looking up context for "
+ "\"%s\"(%05o).\n", fullpath, mode);
+ }
+#endif
+ if (matchpathcon(fullpath, mode, &next) != 0) {
+ free(genpath);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ free(genpath);
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Setting file creation context "
+ "to \"%s\".\n", next);
+ }
+#endif
+ if (setfscreatecon(next) != 0) {
+ freecon(next);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ return NULL;
+ }
+ freecon(next);
+#ifdef DEBUG
+ } else {
+ if (isatty(fileno(stderr))) {
+ fprintf(stderr, "Unable to determine "
+ "current context.\n");
+ }
+#endif
+ }
+ }
+ return previous;
+}
+
+static void
+pop_fscreatecon(security_context_t previous)
+{
+ if (is_selinux_enabled()) {
+#ifdef DEBUG
+ if (isatty(fileno(stderr))) {
+ if (previous != NULL) {
+ fprintf(stderr, "Resetting file creation "
+ "context to \"%s\".\n", previous);
+ } else {
+ fprintf(stderr, "Resetting file creation "
+ "context to default.\n");
+ }
+ }
+#endif
+ setfscreatecon(previous);
+ if (previous != NULL) {
+ freecon(previous);
+ }
+ }
+}
+
+FILE *
+krb5int_labeled_fopen(const char *path, const char *mode)
+{
+ FILE *fp;
+ int errno_save;
+ security_context_t ctx;
+
+ if (strcmp(mode, "r") == 0) {
+ return fopen(path, mode);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fp = fopen(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fp;
+}
+
+int
+krb5int_labeled_creat(const char *path, mode_t mode)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+ fd = creat(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return fd;
+}
+
+int
+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, mode);
+ ret = mknod(path, mode, dev);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
+}
+
+int
+krb5int_labeled_mkdir(const char *path, mode_t mode)
+{
+ int ret;
+ int errno_save;
+ security_context_t ctx;
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, S_IFDIR);
+ ret = mkdir(path, mode);
+ errno_save = errno;
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+
+ errno = errno_save;
+ return ret;
+}
+
+int
+krb5int_labeled_open(const char *path, int flags, ...)
+{
+ int fd;
+ int errno_save;
+ security_context_t ctx;
+ mode_t mode;
+ va_list ap;
+
+ if ((flags & O_CREAT) == 0) {
+ return open(path, flags);
+ }
+
+ k5_once(&labeled_once, label_mutex_init);
+ k5_mutex_lock(&labeled_mutex);
+ ctx = push_fscreatecon(path, 0);
+
+ va_start(ap, flags);
+ mode = va_arg(ap, mode_t);
+ fd = open(path, flags, mode);
+ va_end(ap);
+
+ errno_save = errno;
+
+ pop_fscreatecon(ctx);
+ k5_mutex_unlock(&labeled_mutex);
+ return fd;
+}
+
+#endif
--- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400
+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400
@@ -0,0 +1,27 @@
+#ifndef _KRB5_LABEL_H
+#define _KRB5_LABEL_H
+
+#ifdef THREEPARAMOPEN
+#undef THREEPARAMOPEN
+#endif
+
+/* Wrapper functions which help us create files and directories with the right
+ * context labels. */
+#ifdef USE_SELINUX
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <unistd.h>
+FILE *krb5int_labeled_fopen(const char *path, const char *mode);
+int krb5int_labeled_creat(const char *path, mode_t mode);
+int krb5int_labeled_open(const char *path, int flags, ...);
+int krb5int_labeled_mkdir(const char *path, mode_t mode);
+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device);
+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z)
+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y)
+#else
+#define WRITABLEFOPEN(x,y) fopen(x,y)
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
+#endif
+#endif
--- krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:41.000000000 -0500
+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:44.000000000 -0500
@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR)
KRB5_RUN_ENV= @KRB5_RUN_ENV@
-DB_LIB = -ldb
+DB_LIB = -ldb $(SUPPORT_DEPLIB)
+
DB_DEPLIB = ../libdb$(DEPLIBEXT)
all::

13
krb5-CVE-2007-5901.patch
View File

@ -1,13 +0,0 @@
Patch for CVE-2007-5901, pulled from SVN per #415321.
diff -up src/lib/gssapi/mechglue/g_initialize.c src/lib/gssapi/mechglue/g_initialize.c
--- src/lib/gssapi/mechglue/g_initialize.c 2008-03-04 16:29:13.000000000 -0500
+++ src/lib/gssapi/mechglue/g_initialize.c 2008-03-04 16:29:16.000000000 -0500
@@ -210,7 +210,7 @@ gss_OID_set *mechSet;
free((*mechSet)->elements[j].elements);
}
free((*mechSet)->elements);
- free(mechSet);
+ free(*mechSet);
*mechSet = NULL;
return (GSS_S_FAILURE);
}

12
krb5-CVE-2007-5971.patch
View File

@ -1,12 +0,0 @@
Patch for CVE-2007-5971, pulled from SVN per #415351.
diff -up src/lib/gssapi/krb5/k5sealv3.c src/lib/gssapi/krb5/k5sealv3.c
--- src/lib/gssapi/krb5/k5sealv3.c 2008-03-04 16:22:29.000000000 -0500
+++ src/lib/gssapi/krb5/k5sealv3.c 2008-03-04 16:22:22.000000000 -0500
@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con
plain.data = 0;
if (err) {
zap(outbuf,bufsize);
- free(outbuf);
goto error;
}
if (sum.length != ctx->cksum_size)

339
krb5-CVE-2008-0062,0063.patch
View File

@ -1,339 +0,0 @@
Patch from MITKRB5-SA-2008-001.
Index: src/kdc/dispatch.c
===================================================================
--- src/kdc/dispatch.c (revision 20192)
+++ src/kdc/dispatch.c (working copy)
@@ -1,7 +1,7 @@
/*
* kdc/dispatch.c
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -107,7 +107,7 @@
retval = KRB5KRB_AP_ERR_MSG_TYPE;
#ifndef NOCACHE
/* put the response into the lookaside buffer */
- if (!retval)
+ if (!retval && *response != NULL)
kdc_insert_lookaside(pkt, *response);
#endif
Index: src/kdc/kerberos_v4.c
===================================================================
--- src/kdc/kerberos_v4.c (revision 20192)
+++ src/kdc/kerberos_v4.c (working copy)
@@ -1,7 +1,7 @@
/*
* kdc/kerberos_v4.c
*
- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute
+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute
* of Technology.
* All Rights Reserved.
*
@@ -87,11 +87,6 @@
#define MSB_FIRST 0 /* 68000, IBM RT/PC */
#define LSB_FIRST 1 /* Vax, PC8086 */
-int f;
-
-/* XXX several files in libkdb know about this */
-char *progname;
-
#ifndef BACKWARD_COMPAT
static Key_schedule master_key_schedule;
static C_Block master_key;
@@ -143,10 +138,8 @@
#include "com_err.h"
#include "extern.h" /* to pick up master_princ */
-static krb5_data *response;
-
-void kerberos_v4 (struct sockaddr_in *, KTEXT);
-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT);
+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *);
static int set_tgtkey (char *, krb5_kvno, krb5_boolean);
/* Attributes converted from V5 to V4 - internal representation */
@@ -262,12 +255,12 @@
(void) klog(L_KRB_PERR, "V4 request too long.");
return KRB5KRB_ERR_FIELD_TOOLONG;
}
+ memset( &v4_pkt, 0, sizeof(v4_pkt));
v4_pkt.length = pkt->length;
v4_pkt.mbz = 0;
memcpy( v4_pkt.dat, pkt->data, pkt->length);
- kerberos_v4( &client_sockaddr, &v4_pkt);
- *resp = response;
+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt);
return(retval);
}
@@ -300,19 +293,20 @@
}
static
-int krb4_sendto(int s, const char *msg, int len, int flags,
- const struct sockaddr *to, int to_len)
+krb5_data *make_response(const char *msg, int len)
{
+ krb5_data *response;
+
if ( !(response = (krb5_data *) malloc( sizeof *response))) {
- return ENOMEM;
+ return 0;
}
if ( !(response->data = (char *) malloc( len))) {
krb5_free_data(kdc_context, response);
- return ENOMEM;
+ return 0;
}
response->length = len;
memcpy( response->data, msg, len);
- return( 0);
+ return response;
}
static void
hang(void)
@@ -586,7 +580,7 @@
*cp = 0;
}
-void
+static krb5_data *
kerberos_v4(struct sockaddr_in *client, KTEXT pkt)
{
static KTEXT_ST rpkt_st;
@@ -599,8 +593,8 @@
KTEXT auth = &auth_st;
AUTH_DAT ad_st;
AUTH_DAT *ad = &ad_st;
+ krb5_data *response = 0;
-
static struct in_addr client_host;
static int msg_byte_order;
static int swap_bytes;
@@ -637,8 +631,7 @@
inet_ntoa(client_host));
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
}
/* check packet version */
@@ -648,8 +641,7 @@
KRB_PROT_VERSION, req_version, 0);
/* send an error reply */
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
}
msg_byte_order = req_msg_type & 1;
@@ -707,10 +699,10 @@
if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
&a_name_data, &k5key, 0, &ck5life))) {
- kerb_err_reply(client, pkt, i, "check_princ failed");
+ response = kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_low = a_name_data.key_high = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* don't use k5key for client */
krb5_free_keyblock_contents(kdc_context, &k5key);
@@ -722,11 +714,11 @@
/* this does all the checking */
if ((i = check_princ(service, instance, lifetime,
&s_name_data, &k5key, 1, &sk5life))) {
- kerb_err_reply(client, pkt, i, "check_princ failed");
+ response = kerb_err_reply(client, pkt, i, "check_princ failed");
a_name_data.key_high = a_name_data.key_low = 0;
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* Bound requested lifetime with service and user */
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
@@ -797,8 +789,7 @@
rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
a_name_data.key_version, ciph);
- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
+ response = make_response((char *) rpkt->dat, rpkt->length);
memset(&a_name_data, 0, sizeof(a_name_data));
memset(&s_name_data, 0, sizeof(s_name_data));
break;
@@ -824,9 +815,8 @@
lt = klog(L_KRB_PERR,
"APPL request with realm length too long from %s",
inet_ntoa(client_host));
- kerb_err_reply(client, pkt, RD_AP_INCON,
- "realm length too long");
- return;
+ return kerb_err_reply(client, pkt, RD_AP_INCON,
+ "realm length too long");
}
auth->length += (int) *(pkt->dat + auth->length) +
@@ -835,9 +825,8 @@
lt = klog(L_KRB_PERR,
"APPL request with funky tkt or req_id length from %s",
inet_ntoa(client_host));
- kerb_err_reply(client, pkt, RD_AP_INCON,
- "funky tkt or req_id length");
- return;
+ return kerb_err_reply(client, pkt, RD_AP_INCON,
+ "funky tkt or req_id length");
}
memcpy(auth->dat, pkt->dat, auth->length);
@@ -848,18 +837,16 @@
if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
lt = klog(L_ERR_UNK,
"Cross realm ticket from %s denied by policy,", tktrlm);
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
if (set_tgtkey(tktrlm, kvno, 0)) {
- lt = klog(L_ERR_UNK,
+ lt = klog(L_ERR_UNK,
"FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
@@ -869,9 +856,8 @@
"FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
tktrlm, kvno, inet_ntoa(client_host));
/* no better error code */
- kerb_err_reply(client, pkt,
- KERB_ERR_PRINCIPAL_UNKNOWN, lt);
- return;
+ return kerb_err_reply(client, pkt,
+ KERB_ERR_PRINCIPAL_UNKNOWN, lt);
}
kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
ad, 0);
@@ -881,8 +867,7 @@
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
inet_ntoa(client_host), krb_get_err_text(kerno));
req_name_ptr = req_inst_ptr = req_realm_ptr = "";
- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
- return;
+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
}
ptr = (char *) pkt->dat + auth->length;
@@ -904,22 +889,21 @@
req_realm_ptr = ad->prealm;
if (strcmp(ad->prealm, tktrlm)) {
- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't hop realms");
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+ "Can't hop realms");
}
if (!strcmp(service, "changepw")) {
- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
- "Can't authorize password changed based on TGT");
- return;
+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
+ "Can't authorize password changed based on TGT");
}
kerno = check_princ(service, instance, req_life,
&s_name_data, &k5key, 1, &sk5life);
if (kerno) {
- kerb_err_reply(client, pkt, kerno, "check_princ failed");
+ response = kerb_err_reply(client, pkt, kerno,
+ "check_princ failed");
s_name_data.key_high = s_name_data.key_low = 0;
krb5_free_keyblock_contents(kdc_context, &k5key);
- return;
+ return response;
}
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
@@ -975,8 +959,7 @@
rpkt = create_auth_reply(ad->pname, ad->pinst,
ad->prealm, time_ws,
0, 0, 0, ciph);
- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
+ response = make_response((char *) rpkt->dat, rpkt->length);
memset(&s_name_data, 0, sizeof(s_name_data));
break;
}
@@ -1001,6 +984,7 @@
break;
}
}
+ return response;
}
@@ -1010,7 +994,7 @@
* client.
*/
-void
+static krb5_data *
kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string)
{
static KTEXT_ST e_pkt_st;
@@ -1021,9 +1005,7 @@
strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
req_time_ws, err, e_msg);
- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,
- (struct sockaddr *) client, sizeof (struct sockaddr_in));
-
+ return make_response((char *) e_pkt->dat, e_pkt->length);
}
static int
Index: src/kdc/network.c
===================================================================
--- src/kdc/network.c (revision 20192)
+++ src/kdc/network.c (working copy)
@@ -1,7 +1,7 @@
/*
* kdc/network.c
*
- * Copyright 1990,2000 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
@@ -747,6 +747,8 @@
com_err(prog, retval, "while dispatching (udp)");
return;
}
+ if (response == NULL)
+ return;
cc = sendto(port_fd, response->data, (socklen_t) response->length, 0,
(struct sockaddr *)&saddr, saddr_len);
if (cc == -1) {

75
krb5-CVE-2008-0947.patch
View File

@ -1,75 +0,0 @@
Patch from MITKRB5-SA-2008-002.
=== src/lib/rpc/svc.c
==================================================================
--- src/lib/rpc/svc.c (revision 1666)
+++ src/lib/rpc/svc.c (local)
@@ -109,15 +109,17 @@
if (sock < FD_SETSIZE) {
xports[sock] = xprt;
FD_SET(sock, &svc_fdset);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
#else
if (sock < NOFILE) {
xports[sock] = xprt;
svc_fds |= (1 << sock);
+ if (sock > svc_maxfd)
+ svc_maxfd = sock;
}
#endif /* def FD_SETSIZE */
- if (sock > svc_maxfd)
- svc_maxfd = sock;
}
/*
=== src/lib/rpc/svc_tcp.c
==================================================================
--- src/lib/rpc/svc_tcp.c (revision 1666)
+++ src/lib/rpc/svc_tcp.c (local)
@@ -54,6 +54,14 @@
extern errno;
*/
+#ifndef FD_SETSIZE
+#ifdef NBBY
+#define NOFILE (sizeof(int) * NBBY)
+#else
+#define NOFILE (sizeof(int) * 8)
+#endif
+#endif
+
/*
* Ops vector for TCP/IP based rpc service handle
*/
@@ -215,6 +223,19 @@
register SVCXPRT *xprt;
register struct tcp_conn *cd;
+#ifdef FD_SETSIZE
+ if (fd >= FD_SETSIZE) {
+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+ xprt = NULL;
+ goto done;
+ }
+#else
+ if (fd >= NOFILE) {
+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n");
+ xprt = NULL;
+ goto done;
+ }
+#endif
xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT));
if (xprt == (SVCXPRT *)NULL) {
(void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n");
@@ -271,6 +292,10 @@
* make a new transporter (re-uses xprt)
*/
xprt = makefd_xprt(sock, r->sendsize, r->recvsize);
+ if (xprt == NULL) {
+ close(sock);
+ return (FALSE);
+ }
xprt->xp_raddr = addr;
xprt->xp_addrlen = len;
xprt->xp_laddr = laddr;

157
krb5-CVE-2009-0844-0845-2.patch
View File

@ -1,157 +0,0 @@
diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index 832abe6..4384708 100644
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const;
/* der routines defined in libgss */
extern unsigned int gssint_der_length_size(OM_uint32);
-extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*);
-extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32);
+extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*);
+extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int);
/* private routines for spnego_mechanism */
@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct,
}
cleanup:
if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) {
- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech,
+ tmpret = make_spnego_tokenTarg_msg(negState,
+ sc ? sc->internal_mech : GSS_C_NO_OID,
&mechtok_out, mic_out,
return_token,
output_token);
@@ -1802,22 +1803,16 @@ static gss_buffer_t
get_input_token(unsigned char **buff_in, unsigned int buff_length)
{
gss_buffer_t input_token;
- unsigned int bytes;
+ unsigned int len;
- if (**buff_in != OCTET_STRING)
+ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0)
return (NULL);
- (*buff_in)++;
input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc));
-
if (input_token == NULL)
return (NULL);
- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes);
- if ((int)input_token->length == -1) {
- free(input_token);
- return (NULL);
- }
+ input_token->length = len;
input_token->value = malloc(input_token->length);
if (input_token->value == NULL) {
@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
{
gss_OID_set returned_mechSet;
OM_uint32 major_status;
- OM_uint32 length;
- OM_uint32 bytes;
+ int length;
+ unsigned int bytes;
OM_uint32 set_length;
unsigned char *start;
int i;
@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in,
(*buff_in)++;
length = gssint_get_der_length(buff_in, buff_length, &bytes);
+ if (length < 0 || buff_length - bytes < (unsigned int)length)
+ return NULL;
major_status = gss_create_empty_oid_set(minor_status,
&returned_mechSet);
if (major_status != GSS_S_COMPLETE)
return (NULL);
- for (set_length = 0, i = 0; set_length < length; i++) {
+ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) {
gss_OID_desc *temp = get_mech_oid(minor_status, buff_in,
buff_length - (*buff_in - start));
- if (temp != NULL) {
- major_status = gss_add_oid_set_member(minor_status,
- temp, &returned_mechSet);
- if (major_status == GSS_S_COMPLETE) {
+ if (temp == NULL)
+ break;
+
+ major_status = gss_add_oid_set_member(minor_status,
+ temp, &returned_mechSet);
+ if (major_status == GSS_S_COMPLETE) {
set_length += returned_mechSet->elements[i].length +2;
generic_gss_release_oid(minor_status, &temp);
- }
}
}
@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status,
return GSS_S_DEFECTIVE_TOKEN;
if (*ptr++ == SEQUENCE) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
}
if (REMAIN < 1)
@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status,
if (tag == CONTEXT) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
if (g_get_tag_and_length(&ptr, ENUMERATED,
@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status,
}
if (tag == (CONTEXT | 0x01)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*supportedMech = get_mech_oid(minor_status, &ptr, REMAIN);
@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status,
}
if (tag == (CONTEXT | 0x02)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*responseToken = get_input_token(&ptr, REMAIN);
@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status,
}
if (tag == (CONTEXT | 0x03)) {
tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes);
- if (tmplen < 0)
+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen)
return GSS_S_DEFECTIVE_TOKEN;
*mechListMIC = get_input_token(&ptr, REMAIN);
@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted,
if (outbuf == GSS_C_NO_BUFFER)
return (GSS_S_DEFECTIVE_TOKEN);
+ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID)
+ return (GSS_S_DEFECTIVE_TOKEN);
outbuf->length = 0;
outbuf->value = NULL;
@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag,
&encoded_len);
if (tmplen < 0) {
ret = -1;
- } else if (tmplen > buflen - (ptr - *buf)) {
+ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) {
ret = -1;
} else
ret = 0;

39
krb5-CVE-2009-0846.patch
View File

@ -1,39 +0,0 @@
diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c
index aa4be32..5f7461d 100644
--- a/src/lib/krb5/asn.1/asn1_decode.c
+++ b/src/lib/krb5/asn.1/asn1_decode.c
@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val)
if(length != 15) return ASN1_BAD_LENGTH;
retval = asn1buf_remove_charstring(buf,15,&s);
+ if (retval) return retval;
/* Time encoding: YYYYMMDDhhmmssZ */
if(s[14] != 'Z') {
free(s);
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 0ff9343..1c427d1 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -485,6 +485,22 @@ int main(argc, argv)
ktest_destroy_keyblock(&(ref.subkey));
ref.seq_number = 0;
decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part);
+
+ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40");
+ if (retval) {
+ com_err("krb5_decode_test", retval, "while parsing");
+ exit(1);
+ }
+ retval = decode_krb5_ap_rep_enc_part(&code, &var);
+ if (retval != ASN1_OVERRUN) {
+ printf("ERROR: ");
+ } else {
+ printf("OK: ");
+ }
+ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n");
+ krb5_free_data_contents(test_context, &code);
+ if (var) krb5_free_ap_rep_enc_part(test_context, var);
+
ktest_empty_ap_rep_enc_part(&ref);
}

34
krb5-CVE-2009-0847.patch
View File

@ -1,34 +0,0 @@
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 8baac24..587cccc 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code)
asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef)
{
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
subbuf->base = subbuf->next = buf->next;
if (!indef) {
+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN;
subbuf->bound = subbuf->base + length - 1;
- if (subbuf->bound > buf->bound)
- return ASN1_OVERRUN;
} else /* constructed indefinite */
subbuf->bound = buf->bound;
return 0;
@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;
@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len,
{
int i;
+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN;
if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN;
if (len == 0) {
*s = 0;

95
krb5-MITKRB5SA-2005-001.patch
View File

@ -1,95 +0,0 @@
Index: telnet.c
===================================================================
RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v
retrieving revision 5.18
diff -c -r5.18 telnet.c
*** telnet.c 15 Nov 2002 20:21:35 -0000 5.18
- --- telnet.c 15 Mar 2005 18:59:32 -0000
***************
*** 1475,1480 ****
- --- 1475,1482 ----
unsigned char flags;
cc_t value;
{
+ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply))
+ return;
if ((*slc_replyp++ = func) == IAC)
*slc_replyp++ = IAC;
if ((*slc_replyp++ = flags) == IAC)
***************
*** 1488,1498 ****
{
register int len;
- - *slc_replyp++ = IAC;
- - *slc_replyp++ = SE;
len = slc_replyp - slc_reply;
! if (len <= 6)
return;
if (NETROOM() > len) {
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
- --- 1490,1501 ----
{
register int len;
len = slc_replyp - slc_reply;
! if (len <= 4 || (len + 2 > sizeof(slc_reply)))
return;
+ *slc_replyp++ = IAC;
+ *slc_replyp++ = SE;
+ len += 2;
if (NETROOM() > len) {
ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply);
printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2);
***************
*** 1645,1650 ****
- --- 1648,1654 ----
register unsigned char *ep;
{
register unsigned char *vp, c;
+ unsigned int len, olen, elen;
if (opt_reply == NULL) /*XXX*/
return; /*XXX*/
***************
*** 1662,1680 ****
return;
}
vp = env_getvalue(ep);
! if (opt_replyp + (vp ? strlen((char *)vp) : 0) +
! strlen((char *)ep) + 6 > opt_replyend)
{
! register unsigned int len;
! opt_replyend += OPT_REPLY_SIZE;
! len = opt_replyend - opt_reply;
opt_reply = (unsigned char *)realloc(opt_reply, len);
if (opt_reply == NULL) {
/*@*/ printf("env_opt_add: realloc() failed!!!\n");
opt_reply = opt_replyp = opt_replyend = NULL;
return;
}
! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
opt_replyend = opt_reply + len;
}
if (opt_welldefined((char *) ep))
- --- 1666,1684 ----
return;
}
vp = env_getvalue(ep);
! elen = 2 * (vp ? strlen((char *)vp) : 0) +
! 2 * strlen((char *)ep) + 6;
! if ((opt_replyend - opt_replyp) < elen)
{
! len = opt_replyend - opt_reply + elen;
! olen = opt_replyp - opt_reply;
opt_reply = (unsigned char *)realloc(opt_reply, len);
if (opt_reply == NULL) {
/*@*/ printf("env_opt_add: realloc() failed!!!\n");
opt_reply = opt_replyp = opt_replyend = NULL;
return;
}
! opt_replyp = opt_reply + olen;
opt_replyend = opt_reply + len;
}
if (opt_welldefined((char *) ep))

22
krb5-any-fixup-patch.txt
View File

@ -1,22 +0,0 @@
Index: kt_srvtab.c
===================================================================
RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/lib/krb5/keytab/kt_srvtab.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -r1.1.1.1 -r1.2
--- kt_srvtab.c 27 Feb 2004 04:00:00 -0000 1.1.1.1
+++ kt_srvtab.c 27 Feb 2004 09:56:29 -0000 1.2
@@ -117,13 +117,6 @@
krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id)
{
krb5_ktsrvtab_data *data;
- FILE *fp;
-
- /* Make sure we can open the srvtab file for reading. */
- fp = fopen(name, "r");
- if (!fp)
- return(errno);
- fclose(fp);
if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL)
return(ENOMEM);

152
krb5-ok-as-delegate.patch
View File

@ -1,152 +0,0 @@
This appears to be the minimum needed to be able to set the OK-AS-DELEGATE
flag on an entry using kadmin, and to have the flag propagate back to clients
from the KDC. Note: this affects the KDB storage format, so this MUST NOT be
used until it's in upstream's tree. RT#5596.
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo (revision 19683)
+++ doc/admin.texinfo (working copy)
@@ -2758,6 +2758,13 @@
@samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears
this flag.
+@itemx @{-|+@}ok_as_delegate
+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
@itemx @{-|+@}allow_svr
@code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h (revision 19683)
+++ src/include/kdb.h (working copy)
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c (revision 19683)
+++ src/kdc/do_tgs_req.c (working copy)
@@ -533,6 +533,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c (revision 19683)
+++ src/kdc/do_as_req.c (working copy)
@@ -257,6 +257,10 @@
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c (revision 19683)
+++ src/kadmin/cli/kadmin.c (working copy)
@@ -65,7 +65,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE" /* 0x00010000 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1117,6 +1120,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M (revision 19683)
+++ src/kadmin/cli/kadmin.M (working copy)
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c (revision 19683)
+++ src/lib/kadm5/str_conv.c (working copy)
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },

19
krb5-trunk-close-err.patch
View File

@ -1,19 +0,0 @@
Check for errors returned by close(), which is when we notice out-of-space
errors on NFS. Patch by Tomas Smetana. RT#6399
Index: src/appl/bsd/krcp.c
===================================================================
--- src/appl/bsd/krcp.c (revision 22038)
+++ src/appl/bsd/krcp.c (working copy)
@@ -1115,7 +1115,10 @@
wrerr++;
if (ftruncate(of, size))
error("rcp: can't truncate %s: %s\n", nambuf, error_message(errno));
- (void) close(of);
+ if (close(of) != 0)
+ {
+ error("rcp: error closing %s: %s\n", nambuf, error_message(errno));
+ }
(void) response();
if (setimes) {
setimes = 0;

18
krb5-trunk-doublelog.patch
View File

@ -1,18 +0,0 @@
Don't double-log (actually, don't process /etc/krb5.conf twice) just
because we built with --sysconfdir=/etc. RT#3277
Index: src/include/Makefile.in
===================================================================
--- src/include/Makefile.in (revision 20235)
+++ src/include/Makefile.in (working copy)
@@ -61,7 +61,9 @@
-e "s+@SBINDIR+$(SBINDIR)+" \
-e "s+@MODULEDIR+$(MODULE_DIR)+" \
-e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \
- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+'
+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \
+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \
+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+'
OSCONFSRC = $(srcdir)/stock/osconf.h

12
krb5-trunk-ksu-typo.patch
View File

@ -1,12 +0,0 @@
Marek Marut, RT #6472.
--- krb5/src/clients/ksu/krb_auth_su.c 2009-04-21 13:34:03.000000000 -0400
+++ krb5/src/clients/ksu/krb_auth_su.c 2009-04-21 13:34:10.000000000 -0400
@@ -185,7 +185,7 @@ krb5_boolean krb5_auth_check(context, cl
if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds,
&out_creds, &tgts))){
- com_err(prog_name, retval, "while geting credentials from kdc");
+ com_err(prog_name, retval, "while getting credentials from kdc");
return (FALSE);
}

48
krb5-trunk-preauth-master.patch
View File

@ -1,48 +0,0 @@
Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the
master and replicas (this error is only returned when ENC_TIMESTAMP fails),
and if we get a key-expired error right after changing the password, try
again against the master KDC. RT#6108
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c (revision 20704)
+++ src/lib/krb5/krb/gic_pwd.c (working copy)
@@ -147,10 +147,10 @@
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
- user interrupt, or preauth errored out, fail */
+ user interrupt, or preauth errored out against the master, fail */
if ((ret == KRB5_KDC_UNREACH) ||
- (ret == KRB5_PREAUTH_FAILED) ||
+ ((ret == KRB5_PREAUTH_FAILED) && use_master) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
@@ -320,6 +320,25 @@
krb5_get_as_key_password, (void *) &pw0,
&use_master, &as_reply);
+ if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master)
+ goto cleanup;
+ else {
+ /* Okay, we *just* changed the password. Retry against a master KDC,
+ * because either the non-master's using outdated data or the admin
+ * has set an impossibly low maximum password lifetime. */
+ use_master = 1;
+ ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
+ start_time, in_tkt_service, opte,
+ krb5_get_as_key_password, (void *) &pw0,
+ &use_master, &as_reply);
+ if ((ret2 != KRB5_KDC_UNREACH) &&
+ (ret2 != KRB5_REALM_CANT_RESOLVE) &&
+ (ret2 != KRB5_REALM_UNKNOWN))
+ ret = ret2;
+ else
+ use_master = 0;
+ }
+
cleanup:
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the

49
krb5-trunk-seqnum.patch
View File

@ -1,49 +0,0 @@
Every KRB-PRIV message we generate to include as part of a password change
request we create (after the first one) will include sequence numbers which
look "wrong" to the recipient, because previously generating other KRB-PRIV
messages will mess with the counters in the auth_context. Because the
current code attempts to reuse auth_context structures (and changing that
would be more invasive), we'll just save the sequence number values as they
are after we build the AP-REQ, and restore them before generating requests.
RT#5867.
Index: src/lib/krb5/os/changepw.c
===================================================================
--- src/lib/krb5/os/changepw.c (revision 20195)
+++ src/lib/krb5/os/changepw.c (working copy)
@@ -34,6 +34,7 @@
#include "k5-int.h"
#include "os-proto.h"
#include "cm.h"
+#include "../krb/auth_con.h"
#include <stdio.h>
#include <errno.h>
@@ -48,6 +49,7 @@
krb5_principal set_password_for;
char *newpw;
krb5_data ap_req;
+ krb5_ui_4 remote_seq_num, local_seq_num;
};
@@ -159,6 +161,9 @@
&local_kaddr, NULL)))
goto cleanup;
+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num;
+ ctx->auth_context->local_seq_number = ctx->local_seq_num;
+
if (ctx->set_password_for)
code = krb5int_mk_setpw_req(ctx->context,
ctx->auth_context,
@@ -225,6 +230,9 @@
&callback_ctx.ap_req)))
goto cleanup;
+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number;
+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number;
+
do {
if ((code = krb5_locate_kpasswd(callback_ctx.context,
krb5_princ_realm(callback_ctx.context,

44
krb5-trunk-spnego_delegation.patch
View File

@ -1,44 +0,0 @@
An spnego credential is itself a union credential, so search through it
when we're looking for credentials of a mechanism which may already have
been wrapped by spnego. RT #5807.
Index: src/lib/gssapi/mechglue/g_glue.c
===================================================================
--- src/lib/gssapi/mechglue/g_glue.c (revision 20093)
+++ src/lib/gssapi/mechglue/g_glue.c (working copy)
@@ -33,6 +33,8 @@
#define MSO_BIT (8*(sizeof (int) - 1)) /* Most significant octet bit */
extern gss_mechanism *gssint_mechs_array;
+#define SPNEGO_OID_LENGTH 6
+#define SPNEGO_OID "\053\006\001\005\005\002"
/*
* This file contains the support routines for the glue layer.
@@ -548,6 +550,8 @@
gss_OID mech_type;
{
int i;
+ gss_union_cred_t spnego_cred;
+ gss_cred_id_t mech_cred;
if (union_cred == GSS_C_NO_CREDENTIAL)
return GSS_C_NO_CREDENTIAL;
@@ -555,6 +559,17 @@
for (i=0; i < union_cred->count; i++) {
if (g_OID_equal(mech_type, &union_cred->mechs_array[i]))
return union_cred->cred_array[i];
+
+ /* if this is an spnego credential, search its contents */
+ if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) &&
+ (memcmp(union_cred->mechs_array[i].elements,
+ SPNEGO_OID,
+ SPNEGO_OID_LENGTH) == 0)) {
+ spnego_cred = union_cred->cred_array[i];
+ mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type);
+ if (mech_cred != GSS_C_NO_CREDENTIAL)
+ return mech_cred;
+ }
}
return GSS_C_NO_CREDENTIAL;
}

59
krb5.spec
View File

@ -10,7 +10,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.7
Release: 0%{?dist}
Release: 1%{?dist}
# Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar
Source0: krb5-%{version}.tar.gz
@ -57,17 +57,11 @@ Patch26: krb5-1.3.2-efence.patch
Patch27: krb5-1.7-rcp-sendlarge.patch
Patch29: krb5-1.7-kprop-mktemp.patch
Patch30: krb5-1.3.4-send-pr-tempfile.patch
Patch32: krb5-1.4-ncurses.patch
Patch33: krb5-1.7-io.patch
Patch35: krb5-1.5-fclose.patch
Patch36: krb5-1.7-rcp-markus.patch
Patch39: krb5-1.7-api.patch
Patch40: krb5-1.4.1-telnet-environ.patch
Patch41: krb5-1.6.3-login-lpass.patch
Patch44: krb5-1.4.3-enospc.patch
Patch47: krb5-1.6-sort-of-static.patch
Patch51: krb5-1.6-ldap-init.patch
Patch52: krb5-1.6-ldap-man.patch
Patch53: krb5-1.7-nodeplibs.patch
Patch55: krb5-1.6.1-empty.patch
Patch56: krb5-1.7-doublelog.patch
@ -77,24 +71,11 @@ Patch59: krb5-trunk-kpasswd_tcp.patch
Patch60: krb5-1.7-pam.patch
Patch61: krb5-trunk-manpaths.patch
Patch63: krb5-1.7-selinux-label.patch
Patch64: krb5-ok-as-delegate.patch
Patch68: krb5-trunk-spnego_delegation.patch
Patch69: krb5-trunk-seqnum.patch
Patch70: krb5-trunk-kpasswd_tcp2.patch
Patch71: krb5-1.7-dirsrv-accountlock.patch
Patch72: krb5-1.6.3-ftp_fdleak.patch
Patch73: krb5-1.6.3-ftp_glob_runique.patch
Patch74: krb5-CVE-2008-0062,0063.patch
Patch75: krb5-CVE-2008-0947.patch
Patch76: krb5-CVE-2007-5901.patch
Patch77: krb5-CVE-2007-5971.patch
Patch78: krb5-1.6.3-lucid-acceptor.patch
Patch79: krb5-trunk-ftp_mget_case.patch
Patch80: krb5-trunk-preauth-master.patch
Patch82: krb5-CVE-2009-0844-0845-2.patch
Patch83: krb5-CVE-2009-0846.patch
Patch84: krb5-CVE-2009-0847.patch
Patch85: krb5-trunk-ksu-typo.patch
Patch86: krb5-1.7-time_t_size.patch
License: MIT
@ -224,7 +205,7 @@ to obtain initial credentials from a KDC using a private key and a
certificate.
%changelog
* Tue Jun 2 2009 Nalin Dahyabhai <nalin@redhat.com> 1.7-1
* Thu Jun 4 2009 Nalin Dahyabhai <nalin@redhat.com> 1.7-1
- update to 1.7
- no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS
- configure recognizes --enable/--disable-pkinit now
@ -1416,58 +1397,22 @@ popd
%patch27 -p1 -b .rcp-sendlarge
%patch29 -p1 -b .kprop-mktemp
%patch30 -p1 -b .send-pr-tempfile
# Unneeded
# %patch32 -p1 -b .ncurses
%patch33 -p1 -b .io
# Upstream
# %patch35 -p1 -b .fclose
%patch36 -p1 -b .rcp-markus
%patch39 -p1 -b .api
%patch40 -p1 -b .telnet-environ
%patch41 -p1 -b .login-lpass
# No longer needed -- improved error-reporting should take care of this.
# %patch44 -p1 -b .enospc
# Upstream
# %patch51 -p0 -b .ldap_init
# Upstream
# %patch52 -p0 -b .ldap_man
%patch53 -p1 -b .nodeplibs
#%patch55 -p1 -b .empty
%patch56 -p1 -b .doublelog
#%patch57 -p1 -b .login_chdir
%patch58 -p1 -b .key_exp
%patch59 -p0 -b .kpasswd_tcp
# Upstream, more or less.
# %patch64 -p0 -b .ok-as-delegate
# Upstream, different patch.
# %patch68 -p0 -b .spnego_delegation
# Upstream
# %patch69 -p0 -b .seqnum
#%patch70 -p0 -b .kpasswd_tcp2
%patch71 -p1 -b .dirsrv-accountlock
%patch72 -p1 -b .ftp_fdleak
%patch73 -p1 -b .ftp_glob_runique
# Upstream
# %patch74 -p0 -b .2008-0062,0063
# Upstream
# %patch75 -p0 -b .2008-0947
# Upstream
# %patch76 -p0 -b .2007-5901
# Upstream
# %patch77 -p0 -b .2007-5971
# Was a backport.
# %patch78 -p0 -b .lucid_acceptor
%patch79 -p0 -b .ftp_mget_case
# Upstream
# %patch80 -p0 -b .preauth_master
# Upstream
# %patch82 -p1 -b .CVE-2009-0844-0845-2
# Upstream
# %patch83 -p1 -b .CVE-2009-0846
# Upstream
# %patch84 -p1 -b .CVE-2009-0847
# Upstream
# %patch85 -p1 -b .ksu-typo
%patch86 -p1 -b .time_t_size
gzip doc/*.ps