diff --git a/.cvsignore b/.cvsignore index 8353788..998bcd1 100644 --- a/.cvsignore +++ b/.cvsignore @@ -25,3 +25,6 @@ krb5-1.6.2-pdf.tar.gz krb5-1.6.3.tar.gz krb5-1.6.3.tar.gz.asc krb5-1.6.3-pdf.tar.gz +krb5-1.7.tar.gz +krb5-1.7.tar.gz.asc +krb5-1.7-pdf.tar.gz diff --git a/2004-002-dblfree_patch.txt b/2004-002-dblfree_patch.txt deleted file mode 100644 index 2703b0f..0000000 --- a/2004-002-dblfree_patch.txt +++ /dev/null @@ -1,268 +0,0 @@ -Index: src/clients/klist/klist.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/clients/klist/klist.c,v -retrieving revision 5.63 -diff -c -r5.63 klist.c -*** src/clients/klist/klist.c 11 Apr 2002 03:21:46 -0000 5.63 ---- src/clients/klist/klist.c 23 Aug 2004 03:37:26 -0000 -*************** -*** 614,619 **** ---- 614,622 ---- - - if (show_etype) { - retval = krb5_decode_ticket(&cred->ticket, &tkt); -+ if (retval) -+ goto err_tkt; -+ - if (!extra_field) - fputs("\t",stdout); - else -*************** -*** 622,629 **** - etype_string(cred->keyblock.enctype)); - printf("%s ", - etype_string(tkt->enc_part.enctype)); -- krb5_free_ticket(kcontext, tkt); - extra_field++; - } - - /* if any additional info was printed, extra_field is non-zero */ ---- 625,635 ---- - etype_string(cred->keyblock.enctype)); - printf("%s ", - etype_string(tkt->enc_part.enctype)); - extra_field++; -+ -+ err_tkt: -+ if (tkt != NULL) -+ krb5_free_ticket(kcontext, tkt); - } - - /* if any additional info was printed, extra_field is non-zero */ -Index: src/krb524/krb524d.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/krb524/krb524d.c,v -retrieving revision 1.55.2.3 -diff -c -r1.55.2.3 krb524d.c -*** src/krb524/krb524d.c 28 May 2003 04:06:31 -0000 1.55.2.3 ---- src/krb524/krb524d.c 23 Aug 2004 03:37:26 -0000 -*************** -*** 582,589 **** - printf("v4 credentials encoded\n"); - - error: -! if (v5tkt->enc_part2) - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); - - if(v5_service_key.contents) - krb5_free_keyblock_contents(context, &v5_service_key); ---- 582,591 ---- - printf("v4 credentials encoded\n"); - - error: -! if (v5tkt->enc_part2) { - krb5_free_enc_tkt_part(context, v5tkt->enc_part2); -+ v5tkt->enc_part2 = NULL; -+ } - - if(v5_service_key.contents) - krb5_free_keyblock_contents(context, &v5_service_key); -Index: src/lib/krb5/asn.1/asn1buf.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v -retrieving revision 5.24 -diff -c -r5.24 asn1buf.c -*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24 ---- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:37:27 -0000 -*************** -*** 255,260 **** ---- 255,261 ---- - (*code)->data = (char*)malloc((((*code)->length)+1)*sizeof(char)); - if ((*code)->data == NULL) { - free(*code); -+ *code = NULL; - return ENOMEM; - } - for(i=0; i < (*code)->length; i++) -Index: src/lib/krb5/asn.1/krb5_decode.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/krb5_decode.c,v -retrieving revision 5.40.2.5 -diff -c -r5.40.2.5 krb5_decode.c -*** src/lib/krb5/asn.1/krb5_decode.c 10 Oct 2003 23:57:38 -0000 5.40.2.5 ---- src/lib/krb5/asn.1/krb5_decode.c 23 Aug 2004 03:37:27 -0000 -*************** -*** 183,190 **** - #define cleanup(cleanup_routine)\ - return 0; \ - error_out: \ -! if (rep && *rep) \ - cleanup_routine(*rep); \ - return retval; - - #define cleanup_none()\ ---- 183,192 ---- - #define cleanup(cleanup_routine)\ - return 0; \ - error_out: \ -! if (rep && *rep) { \ - cleanup_routine(*rep); \ -+ *rep = NULL; \ -+ } \ - return retval; - - #define cleanup_none()\ -*************** -*** 233,238 **** ---- 235,241 ---- - free_field(*rep,checksum); - free_field(*rep,client); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 254,260 **** - { begin_structure(); - { krb5_kvno kvno; - get_field(kvno,0,asn1_decode_kvno); -! if(kvno != KVNO) return KRB5KDC_ERR_BAD_PVNO; - } - alloc_field((*rep)->server,krb5_principal_data); - get_field((*rep)->server,1,asn1_decode_realm); ---- 257,263 ---- - { begin_structure(); - { krb5_kvno kvno; - get_field(kvno,0,asn1_decode_kvno); -! if(kvno != KVNO) clean_return(KRB5KDC_ERR_BAD_PVNO); - } - alloc_field((*rep)->server,krb5_principal_data); - get_field((*rep)->server,1,asn1_decode_realm); -*************** -*** 268,273 **** ---- 271,277 ---- - if (rep && *rep) { - free_field(*rep,server); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 320,325 **** ---- 324,330 ---- - free_field(*rep,session); - free_field(*rep,client); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 403,408 **** ---- 408,414 ---- - if (rep && *rep) { - free_field(*rep,ticket); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 451,456 **** ---- 457,463 ---- - if (rep && *rep) { - free_field(*rep,subkey); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 556,561 **** ---- 563,569 ---- - if (rep && *rep) { - free_field(*rep,checksum); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 614,619 **** ---- 622,628 ---- - free_field(*rep,r_address); - free_field(*rep,s_address); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 668,673 **** ---- 677,683 ---- - free_field(*rep,r_address); - free_field(*rep,s_address); - free(*rep); -+ *rep = NULL; - } - return retval; - } -*************** -*** 713,718 **** ---- 723,729 ---- - free_field(*rep,server); - free_field(*rep,client); - free(*rep); -+ *rep = NULL; - } - return retval; - } -Index: src/lib/krb5/krb/rd_rep.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/rd_rep.c,v -retrieving revision 5.33.2.2 -diff -c -r5.33.2.2 rd_rep.c -*** src/lib/krb5/krb/rd_rep.c 14 Jun 2003 00:09:47 -0000 5.33.2.2 ---- src/lib/krb5/krb/rd_rep.c 23 Aug 2004 03:37:27 -0000 -*************** -*** 71,76 **** ---- 71,78 ---- - - /* now decode the decrypted stuff */ - retval = decode_krb5_ap_rep_enc_part(&scratch, repl); -+ if (retval) -+ goto clean_scratch; - - /* Check reply fields */ - if (((*repl)->ctime != auth_context->authentp->ctime) || -Index: src/lib/krb5/krb/send_tgs.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/lib/krb5/krb/send_tgs.c,v -retrieving revision 5.55.2.1 -diff -c -r5.55.2.1 send_tgs.c -*** src/lib/krb5/krb/send_tgs.c 13 May 2004 19:27:59 -0000 5.55.2.1 ---- src/lib/krb5/krb/send_tgs.c 23 Aug 2004 03:37:27 -0000 -*************** -*** 269,274 **** ---- 269,276 ---- - if (!tcp_only) { - krb5_error *err_reply; - retval = decode_krb5_error(&rep->response, &err_reply); -+ if (retval) -+ goto send_tgs_error_3; - if (err_reply->error == KRB_ERR_RESPONSE_TOO_BIG) { - tcp_only = 1; - krb5_free_error(context, err_reply); -*************** -*** 277,282 **** ---- 279,286 ---- - goto send_again; - } - krb5_free_error(context, err_reply); -+ send_tgs_error_3: -+ ; - } - rep->message_type = KRB5_ERROR; - } else if (krb5_is_tgs_rep(&rep->response)) diff --git a/2004-003-patch_1.3.4.txt b/2004-003-patch_1.3.4.txt deleted file mode 100644 index 57a9213..0000000 --- a/2004-003-patch_1.3.4.txt +++ /dev/null @@ -1,17 +0,0 @@ -Index: src/lib/krb5/asn.1/asn1buf.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/lib/krb5/asn.1/asn1buf.c,v -retrieving revision 5.24 -*** src/lib/krb5/asn.1/asn1buf.c 12 Mar 2003 04:33:30 -0000 5.24 ---- src/lib/krb5/asn.1/asn1buf.c 23 Aug 2004 03:43:47 -0000 -*************** -*** 122,127 **** ---- 122,129 ---- - return ASN1_OVERRUN; - } - while (nestlevel > 0) { -+ if (buf->bound - buf->next + 1 <= 0) -+ return ASN1_OVERRUN; - retval = asn1_get_tag_2(buf, &t); - if (retval) return retval; - if (!t.indef) { diff --git a/2006-001-patch_1.5.txt b/2006-001-patch_1.5.txt deleted file mode 100644 index cc47dec..0000000 --- a/2006-001-patch_1.5.txt +++ /dev/null @@ -1,268 +0,0 @@ -Index: appl/gssftp/ftpd/ftpd.c -=================================================================== -*** appl/gssftp/ftpd/ftpd.c (revision 18440) ---- appl/gssftp/ftpd/ftpd.c (working copy) -*************** -*** 1367,1373 **** - goto bad; - sleep(tries); - } -! (void) krb5_seteuid((uid_t)pw->pw_uid); - #ifdef IP_TOS - #ifdef IPTOS_THROUGHPUT - on = IPTOS_THROUGHPUT; ---- 1367,1375 ---- - goto bad; - sleep(tries); - } -! if (krb5_seteuid((uid_t)pw->pw_uid)) { -! fatal("seteuid user"); -! } - #ifdef IP_TOS - #ifdef IPTOS_THROUGHPUT - on = IPTOS_THROUGHPUT; -*************** -*** 1377,1383 **** - #endif - return (fdopen(s, fmode)); - bad: -! (void) krb5_seteuid((uid_t)pw->pw_uid); - (void) close(s); - return (NULL); - } ---- 1379,1387 ---- - #endif - return (fdopen(s, fmode)); - bad: -! if (krb5_seteuid((uid_t)pw->pw_uid)) { -! fatal("seteuid user"); -! } - (void) close(s); - return (NULL); - } -*************** -*** 2186,2192 **** - (void) krb5_seteuid((uid_t)pw->pw_uid); - goto pasv_error; - } -! (void) krb5_seteuid((uid_t)pw->pw_uid); - len = sizeof(pasv_addr); - if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) - goto pasv_error; ---- 2190,2198 ---- - (void) krb5_seteuid((uid_t)pw->pw_uid); - goto pasv_error; - } -! if (krb5_seteuid((uid_t)pw->pw_uid)) { -! fatal("seteuid user"); -! } - len = sizeof(pasv_addr); - if (getsockname(pdata, (struct sockaddr *) &pasv_addr, &len) < 0) - goto pasv_error; -Index: appl/bsd/v4rcp.c -=================================================================== -*** appl/bsd/v4rcp.c (revision 18440) ---- appl/bsd/v4rcp.c (working copy) -*************** -*** 436,442 **** - kstream_set_buffer_mode (krem, 0); - #endif /* KERBEROS && !NOENCRYPTION */ - (void) response(); -! (void) setuid(userid); - source(--argc, ++argv); - exit(errs); - ---- 436,445 ---- - kstream_set_buffer_mode (krem, 0); - #endif /* KERBEROS && !NOENCRYPTION */ - (void) response(); -! if (setuid(userid)) { -! error("rcp: can't setuid(user)\n"); -! exit(1); -! } - source(--argc, ++argv); - exit(errs); - -*************** -*** 452,458 **** - krem = kstream_create_from_fd (rem, 0, 0); - kstream_set_buffer_mode (krem, 0); - #endif /* KERBEROS && !NOENCRYPTION */ -! (void) setuid(userid); - sink(--argc, ++argv); - exit(errs); - ---- 455,464 ---- - krem = kstream_create_from_fd (rem, 0, 0); - kstream_set_buffer_mode (krem, 0); - #endif /* KERBEROS && !NOENCRYPTION */ -! if (setuid(userid)) { -! error("rcp: can't setuid(user)\n"); -! exit(1); -! } - sink(--argc, ++argv); - exit(errs); - -Index: appl/bsd/krcp.c -=================================================================== -*** appl/bsd/krcp.c (revision 18440) ---- appl/bsd/krcp.c (working copy) -*************** -*** 620,626 **** - - euid = geteuid(); - if (euid == 0) { -! (void) setuid(0); - if(krb5_seteuid(userid)) { - perror("rcp seteuid user"); errs++; exit(errs); - } ---- 620,628 ---- - - euid = geteuid(); - if (euid == 0) { -! if (setuid(0)) { -! perror("rcp setuid 0"); errs++; exit(errs); -! } - if(krb5_seteuid(userid)) { - perror("rcp seteuid user"); errs++; exit(errs); - } -*************** -*** 638,648 **** - continue; - rcmd_stream_init_normal(); - #ifdef HAVE_SETREUID -! (void) setreuid(0, userid); - sink(1, argv+argc-1); -! (void) setreuid(userid, 0); - #else -! (void) setuid(0); - if(seteuid(userid)) { - perror("rcp seteuid user"); errs++; exit(errs); - } ---- 640,656 ---- - continue; - rcmd_stream_init_normal(); - #ifdef HAVE_SETREUID -! if (setreuid(0, userid)) { -! perror("rcp setreuid 0,user"); errs++; exit(errs); -! } - sink(1, argv+argc-1); -! if (setreuid(userid, 0)) { -! perror("rcp setreuid user,0"); errs++; exit(errs); -! } - #else -! if (setuid(0)) { -! perror("rcp setuid 0"); errs++; exit(errs); -! } - if(seteuid(userid)) { - perror("rcp seteuid user"); errs++; exit(errs); - } -Index: appl/bsd/login.c -=================================================================== -*** appl/bsd/login.c (revision 18440) ---- appl/bsd/login.c (working copy) -*************** -*** 1648,1654 **** - } - #endif /* HAVE_SETLUID */ - #ifdef _IBMR2 -! setuidx(ID_LOGIN, pwd->pw_uid); - #endif - - /* This call MUST succeed */ ---- 1648,1657 ---- - } - #endif /* HAVE_SETLUID */ - #ifdef _IBMR2 -! if (setuidx(ID_LOGIN, pwd->pw_uid) < 0) { -! perror("setuidx"); -! sleepexit(1); -! }; - #endif - - /* This call MUST succeed */ -Index: appl/bsd/krshd.c -=================================================================== -*** appl/bsd/krshd.c (revision 18440) ---- appl/bsd/krshd.c (working copy) -*************** -*** 1403,1411 **** - * If we're on a system which keeps track of login uids, then - * set the login uid. - */ -! setluid((uid_t) pwd->pw_uid); - #endif /* HAVE_SETLUID */ -! (void) setuid((uid_t)pwd->pw_uid); - /* if TZ is set in the parent, drag it in */ - { - char **findtz = environ; ---- 1403,1417 ---- - * If we're on a system which keeps track of login uids, then - * set the login uid. - */ -! if (setluid((uid_t) pwd->pw_uid) < 0) { -! perror("setluid"); -! _exit(1); -! } - #endif /* HAVE_SETLUID */ -! if (setuid((uid_t)pwd->pw_uid) < 0) { -! perror("setuid"); -! _exit(1); -! } - /* if TZ is set in the parent, drag it in */ - { - char **findtz = environ; -Index: clients/ksu/main.c -=================================================================== -*** clients/ksu/main.c (revision 18440) ---- clients/ksu/main.c (working copy) -*************** -*** 893,900 **** - struct stat st_temp; - - krb5_seteuid(0); -! krb5_seteuid(target_uid); -! - cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))){ ---- 893,904 ---- - struct stat st_temp; - - krb5_seteuid(0); -! if (krb5_seteuid(target_uid) < 0) { -! com_err(prog_name, errno, -! "while changing to target uid for destroying ccache"); -! exit(1); -! } -! - cc_name = krb5_cc_get_name(context, cc); - if ( ! stat(cc_name, &st_temp)){ - if ((retval = krb5_cc_destroy(context, cc))){ -Index: lib/krb4/kuserok.c -=================================================================== -*** lib/krb4/kuserok.c (revision 18440) ---- lib/krb4/kuserok.c (working copy) -*************** -*** 159,167 **** - */ - if(getuid() == 0) { - uid_t old_euid = geteuid(); -! seteuid(pwd->pw_uid); - fp = fopen(pbuf, "r"); -! seteuid(old_euid); - if ((fp) == NULL) { - return(NOTOK); - } ---- 159,169 ---- - */ - if(getuid() == 0) { - uid_t old_euid = geteuid(); -! if (seteuid(pwd->pw_uid) < 0) -! return NOTOK; - fp = fopen(pbuf, "r"); -! if (seteuid(old_euid) < 0) -! return NOTOK; - if ((fp) == NULL) { - return(NOTOK); - } diff --git a/2006-002-patch.txt b/2006-002-patch.txt deleted file mode 100644 index c31124e..0000000 --- a/2006-002-patch.txt +++ /dev/null @@ -1,27 +0,0 @@ -Index: src/lib/rpc/svc.c -=================================================================== -*** src/lib/rpc/svc.c (revision 18864) ---- src/lib/rpc/svc.c (working copy) -*************** -*** 437,442 **** ---- 437,444 ---- - #endif - } - -+ extern struct svc_auth_ops svc_auth_gss_ops; -+ - static void - svc_do_xprt(SVCXPRT *xprt) - { -*************** -*** 518,523 **** ---- 520,528 ---- - if ((stat = SVC_STAT(xprt)) == XPRT_DIED){ - SVC_DESTROY(xprt); - break; -+ } else if ((xprt->xp_auth != NULL) && -+ (xprt->xp_auth->svc_ah_ops != &svc_auth_gss_ops)) { -+ xprt->xp_auth = NULL; - } - } while (stat == XPRT_MOREREQS); - diff --git a/2006-003-patch.txt b/2006-003-patch.txt deleted file mode 100644 index 355e964..0000000 --- a/2006-003-patch.txt +++ /dev/null @@ -1,1903 +0,0 @@ -Index: src/lib/gssapi/mechglue/g_store_cred.c -=================================================================== -*** src/lib/gssapi/mechglue/g_store_cred.c (revision 18858) ---- src/lib/gssapi/mechglue/g_store_cred.c (working copy) -*************** -*** 11,16 **** ---- 11,48 ---- - - #include - -+ static OM_uint32 -+ val_store_cred_args( -+ OM_uint32 *minor_status, -+ const gss_cred_id_t input_cred_handle, -+ gss_cred_usage_t cred_usage, -+ const gss_OID desired_mech, -+ OM_uint32 overwrite_cred, -+ OM_uint32 default_cred, -+ gss_OID_set *elements_stored, -+ gss_cred_usage_t *cred_usage_stored) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (elements_stored != NULL) -+ *elements_stored = GSS_C_NULL_OID_SET; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_cred_handle == GSS_C_NO_CREDENTIAL) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CRED); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 gss_store_cred(minor_status, - input_cred_handle, - cred_usage, -*************** -*** 37,52 **** - gss_OID dmech; - int i; - -! /* Start by checking parameters */ -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE|GSS_S_NO_CRED); -! *minor_status = 0; - -! if (input_cred_handle == GSS_C_NO_CREDENTIAL) -! return (GSS_S_CALL_INACCESSIBLE_READ); -! -! if (elements_stored != NULL) -! *elements_stored = GSS_C_NULL_OID_SET; - - if (cred_usage_stored != NULL) - *cred_usage_stored = GSS_C_BOTH; /* there's no GSS_C_NEITHER */ ---- 69,87 ---- - gss_OID dmech; - int i; - -! major_status = val_store_cred_args(minor_status, -! input_cred_handle, -! cred_usage, -! desired_mech, -! overwrite_cred, -! default_cred, -! elements_stored, -! cred_usage_stored); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - -! /* Initial value needed below. */ -! major_status = GSS_S_FAILURE; - - if (cred_usage_stored != NULL) - *cred_usage_stored = GSS_C_BOTH; /* there's no GSS_C_NEITHER */ -Index: src/lib/gssapi/mechglue/g_exp_sec_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_exp_sec_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_exp_sec_context.c (working copy) -*************** -*** 34,39 **** ---- 34,71 ---- - #endif - #include - -+ static OM_uint32 -+ val_exp_sec_ctx_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t interprocess_token) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (interprocess_token != GSS_C_NO_BUFFER) { -+ interprocess_token->length = 0; -+ interprocess_token->value = NULL; -+ } -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -+ -+ if (interprocess_token == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_export_sec_context(minor_status, - context_handle, -*************** -*** 50,65 **** - gss_mechanism mech; - gss_buffer_desc token; - char *buf; -- -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; -- -- if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) -- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -! if (interprocess_token == NULL) -! return (GSS_S_CALL_INACCESSIBLE_READ); - - /* - * select the approprate underlying mechanism routine and ---- 82,92 ---- - gss_mechanism mech; - gss_buffer_desc token; - char *buf; - -! status = val_exp_sec_ctx_args(minor_status, -! context_handle, interprocess_token); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * select the approprate underlying mechanism routine and -Index: src/lib/gssapi/mechglue/g_canon_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_canon_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_canon_name.c (working copy) -*************** -*** 25,30 **** ---- 25,58 ---- - #include - #include - -+ static OM_uint32 -+ val_canon_name_args( -+ OM_uint32 *minor_status, -+ const gss_name_t input_name, -+ const gss_OID mech_type, -+ gss_name_t *output_name) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_name != NULL) -+ *output_name = GSS_C_NO_NAME; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_name == GSS_C_NO_NAME || mech_type == GSS_C_NULL_OID) -+ return (GSS_S_CALL_INACCESSIBLE_READ); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_canonicalize_name(minor_status, - input_name, -*************** -*** 38,54 **** - gss_union_name_t in_union, out_union = NULL, dest_union = NULL; - OM_uint32 major_status = GSS_S_FAILURE; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! -! *minor_status = 0; - -! if (output_name) -! *output_name = 0; -! -! /* check the input parameters */ -! if (input_name == NULL || mech_type == GSS_C_NULL_OID) -! return (GSS_S_CALL_INACCESSIBLE_READ); - - in_union = (gss_union_name_t)input_name; - /* ---- 66,80 ---- - gss_union_name_t in_union, out_union = NULL, dest_union = NULL; - OM_uint32 major_status = GSS_S_FAILURE; - -! major_status = val_canon_name_args(minor_status, -! input_name, -! mech_type, -! output_name); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - -! /* Initial value needed below. */ -! major_status = GSS_S_FAILURE; - - in_union = (gss_union_name_t)input_name; - /* -Index: src/lib/gssapi/mechglue/g_initialize.c -=================================================================== -*** src/lib/gssapi/mechglue/g_initialize.c (revision 18858) ---- src/lib/gssapi/mechglue/g_initialize.c (working copy) -*************** -*** 142,158 **** - int i, j; - gss_OID curItem; - -! if (!minorStatus) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! if (gssint_initialize_library()) -! return GSS_S_FAILURE; - -! *minorStatus = 0; - - -! /* check output parameter */ -! if (mechSet == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - if (build_mechSet()) - return GSS_S_FAILURE; ---- 142,161 ---- - int i, j; - gss_OID curItem; - -! /* Initialize outputs. */ - -! if (minorStatus != NULL) -! *minorStatus = 0; - -+ if (mechSet != NULL) -+ *mechSet = GSS_C_NO_OID_SET; - -! /* Validate arguments. */ -! if (minorStatus == NULL || mechSet == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (gssint_initialize_library()) -+ return GSS_S_FAILURE; - - if (build_mechSet()) - return GSS_S_FAILURE; -Index: src/lib/gssapi/mechglue/g_verify.c -=================================================================== -*** src/lib/gssapi/mechglue/g_verify.c (revision 18858) ---- src/lib/gssapi/mechglue/g_verify.c (working copy) -*************** -*** 54,60 **** - if (context_handle == GSS_C_NO_CONTEXT) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -! if ((message_buffer == NULL) || GSS_EMPTY_BUFFER(token_buffer)) - return (GSS_S_CALL_INACCESSIBLE_READ); - - /* ---- 54,62 ---- - if (context_handle == GSS_C_NO_CONTEXT) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -! if ((message_buffer == GSS_C_NO_BUFFER) || -! GSS_EMPTY_BUFFER(token_buffer)) -! - return (GSS_S_CALL_INACCESSIBLE_READ); - - /* -Index: src/lib/gssapi/mechglue/g_inq_names.c -=================================================================== -*** src/lib/gssapi/mechglue/g_inq_names.c (revision 18858) ---- src/lib/gssapi/mechglue/g_inq_names.c (working copy) -*************** -*** 41,50 **** - { - OM_uint32 status; - gss_mechanism mech; -! - if (minor_status == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; - - if (name_types == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); ---- 41,59 ---- - { - OM_uint32 status; - gss_mechanism mech; -! -! /* Initialize outputs. */ -! -! if (minor_status != NULL) -! *minor_status = 0; -! -! if (name_types != NULL) -! *name_types = GSS_C_NO_OID_SET; -! -! /* Validate arguments. */ -! - if (minor_status == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - if (name_types == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -*************** -*** 72,77 **** ---- 81,113 ---- - - return (GSS_S_BAD_MECH); - } -+ -+ static OM_uint32 -+ val_inq_mechs4name_args( -+ OM_uint32 *minor_status, -+ const gss_name_t input_name, -+ gss_OID_set *mech_set) -+ { -+ -+ /* Initialize outputs. */ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (mech_set != NULL) -+ *mech_set = GSS_C_NO_OID_SET; -+ -+ /* Validate arguments.e -+ */ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_name == GSS_C_NO_NAME) -+ return (GSS_S_BAD_NAME); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_inquire_mechs_for_name(minor_status, input_name, mech_set) - -*************** -*** 90,101 **** - gss_buffer_desc name_buffer; - int i; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (input_name == NULL) -! return (GSS_S_BAD_NAME); - - status = gss_create_empty_oid_set(minor_status, mech_set); - if (status != GSS_S_COMPLETE) ---- 126,134 ---- - gss_buffer_desc name_buffer; - int i; - -! status = val_inq_mechs4name_args(minor_status, input_name, mech_set); -! if (status != GSS_S_COMPLETE) -! return (status); - - status = gss_create_empty_oid_set(minor_status, mech_set); - if (status != GSS_S_COMPLETE) -Index: src/lib/gssapi/mechglue/g_export_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_export_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_export_name.c (working copy) -*************** -*** 29,47 **** - { - gss_union_name_t union_name; - - -! if (minor_status) - *minor_status = 0; - -! /* check out parameter */ -! if (!exported_name) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! exported_name->value = NULL; -! exported_name->length = 0; - -! /* check input parameter */ -! if (!input_name) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); - - union_name = (gss_union_name_t)input_name; ---- 29,50 ---- - { - gss_union_name_t union_name; - -+ /* Initialize outputs. */ - -! if (minor_status != NULL) - *minor_status = 0; - -! if (exported_name != GSS_C_NO_BUFFER) { -! exported_name->value = NULL; -! exported_name->length = 0; -! } -! -! /* Validate arguments. */ - -! if (minor_status == NULL || exported_name == GSS_C_NO_BUFFER) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! if (input_name == GSS_C_NO_NAME) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); - - union_name = (gss_union_name_t)input_name; -Index: src/lib/gssapi/mechglue/g_process_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_process_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_process_context.c (working copy) -*************** -*** 49,54 **** ---- 49,57 ---- - if (context_handle == GSS_C_NO_CONTEXT) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -+ if (token_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ); -+ - if (GSS_EMPTY_BUFFER(token_buffer)) - return (GSS_S_CALL_INACCESSIBLE_READ); - -Index: src/lib/gssapi/mechglue/g_imp_sec_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_imp_sec_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_imp_sec_context.c (working copy) -*************** -*** 34,39 **** ---- 34,71 ---- - #endif - #include - -+ static OM_uint32 -+ val_imp_sec_ctx_args( -+ OM_uint32 *minor_status, -+ gss_buffer_t interprocess_token, -+ gss_ctx_id_t *context_handle) -+ { -+ -+ /* Initialize outputs. */ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (context_handle != NULL) -+ *context_handle = GSS_C_NO_CONTEXT; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (interprocess_token == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); -+ -+ if (GSS_EMPTY_BUFFER(interprocess_token)) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_import_sec_context(minor_status, - interprocess_token, -*************** -*** 50,67 **** - gss_union_ctx_id_t ctx; - gss_buffer_desc token; - gss_mechanism mech; -- -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; -- -- if (context_handle == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); -- *context_handle = GSS_C_NO_CONTEXT; - -! if (GSS_EMPTY_BUFFER(interprocess_token)) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_DEFECTIVE_TOKEN); - - status = GSS_S_FAILURE; - - ctx = (gss_union_ctx_id_t) malloc(sizeof(gss_union_ctx_id_desc)); ---- 82,94 ---- - gss_union_ctx_id_t ctx; - gss_buffer_desc token; - gss_mechanism mech; - -! status = val_imp_sec_ctx_args(minor_status, -! interprocess_token, context_handle); -! if (status != GSS_S_COMPLETE) -! return (status); - -+ /* Initial value needed below. */ - status = GSS_S_FAILURE; - - ctx = (gss_union_ctx_id_t) malloc(sizeof(gss_union_ctx_id_desc)); -Index: src/lib/gssapi/mechglue/g_seal.c -=================================================================== -*** src/lib/gssapi/mechglue/g_seal.c (revision 18858) ---- src/lib/gssapi/mechglue/g_seal.c (working copy) -*************** -*** 28,33 **** ---- 28,72 ---- - - #include "mglueP.h" - -+ static OM_uint32 -+ val_seal_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, -+ int conf_req_flag, -+ int qop_req, -+ gss_buffer_t input_message_buffer, -+ int *conf_state, -+ gss_buffer_t output_message_buffer) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_message_buffer != GSS_C_NO_BUFFER) { -+ output_message_buffer->length = 0; -+ output_message_buffer->value = NULL; -+ } -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -+ -+ if (input_message_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ); -+ -+ if (output_message_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_seal (minor_status, - context_handle, -*************** -*** 51,68 **** - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (context_handle == GSS_C_NO_CONTEXT) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -! -! if (input_message_buffer == NULL) -! return (GSS_S_CALL_INACCESSIBLE_READ); -! -! if (output_message_buffer == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - - /* - * select the approprate underlying mechanism routine and ---- 90,101 ---- - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -! status = val_seal_args(minor_status, context_handle, -! conf_req_flag, qop_req, -! input_message_buffer, conf_state, -! output_message_buffer); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * select the approprate underlying mechanism routine and -Index: src/lib/gssapi/mechglue/g_acquire_cred.c -=================================================================== -*** src/lib/gssapi/mechglue/g_acquire_cred.c (revision 18858) ---- src/lib/gssapi/mechglue/g_acquire_cred.c (working copy) -*************** -*** 71,76 **** ---- 71,113 ---- - return actual_mechs; - } - -+ static OM_uint32 -+ val_acq_cred_args( -+ OM_uint32 *minor_status, -+ gss_name_t desired_name, -+ OM_uint32 time_req, -+ gss_OID_set desired_mechs, -+ int cred_usage, -+ gss_cred_id_t *output_cred_handle, -+ gss_OID_set *actual_mechs, -+ OM_uint32 *time_rec) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_cred_handle != NULL) -+ *output_cred_handle = GSS_C_NO_CREDENTIAL; -+ -+ if (actual_mechs != NULL) -+ *actual_mechs = GSS_C_NULL_OID_SET; -+ -+ if (time_rec != NULL) -+ *time_rec = 0; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (output_cred_handle == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ - - OM_uint32 KRB5_CALLCONV - gss_acquire_cred(minor_status, -*************** -*** 101,122 **** - int i; - gss_union_cred_t creds; - -! /* start by checking parameters */ -! if (!minor_status) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (!output_cred_handle) -! return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); -! -! *output_cred_handle = GSS_C_NO_CREDENTIAL; -! -! /* Set output parameters to NULL for now */ -! if (actual_mechs) -! *actual_mechs = GSS_C_NULL_OID_SET; - -! if (time_rec) -! *time_rec = 0; - - /* - * if desired_mechs equals GSS_C_NULL_OID_SET, then pick an ---- 138,156 ---- - int i; - gss_union_cred_t creds; - -! major = val_acq_cred_args(minor_status, -! desired_name, -! time_req, -! desired_mechs, -! cred_usage, -! output_cred_handle, -! actual_mechs, -! time_rec); -! if (major != GSS_S_COMPLETE) -! return (major); - -! /* Initial value needed below. */ -! major = GSS_S_FAILURE; - - /* - * if desired_mechs equals GSS_C_NULL_OID_SET, then pick an -*************** -*** 208,213 **** ---- 242,293 ---- - return (GSS_S_COMPLETE); - } - -+ static OM_uint32 -+ val_add_cred_args( -+ OM_uint32 *minor_status, -+ gss_cred_id_t input_cred_handle, -+ gss_name_t desired_name, -+ gss_OID desired_mech, -+ gss_cred_usage_t cred_usage, -+ OM_uint32 initiator_time_req, -+ OM_uint32 acceptor_time_req, -+ gss_cred_id_t *output_cred_handle, -+ gss_OID_set *actual_mechs, -+ OM_uint32 *initiator_time_rec, -+ OM_uint32 *acceptor_time_rec) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_cred_handle != NULL) -+ *output_cred_handle = GSS_C_NO_CREDENTIAL; -+ -+ if (actual_mechs != NULL) -+ *actual_mechs = GSS_C_NO_OID_SET; -+ -+ if (acceptor_time_rec != NULL) -+ *acceptor_time_rec = 0; -+ -+ if (initiator_time_rec != NULL) -+ *initiator_time_rec = 0; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_cred_handle == GSS_C_NO_CREDENTIAL && -+ output_cred_handle == NULL) -+ -+ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - /* V2 KRB5_CALLCONV */ - OM_uint32 KRB5_CALLCONV - gss_add_cred(minor_status, input_cred_handle, -*************** -*** 238,263 **** - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; - -! /* check input parameters */ -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (input_cred_handle == GSS_C_NO_CREDENTIAL && -! output_cred_handle == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED); -! -! if (output_cred_handle) -! *output_cred_handle = GSS_C_NO_CREDENTIAL; -! -! if (actual_mechs) -! *actual_mechs = NULL; -! -! if (acceptor_time_rec) -! *acceptor_time_rec = 0; -! -! if (initiator_time_rec) -! *initiator_time_rec = 0; - - mech = gssint_get_mechanism(desired_mech); - if (!mech) ---- 318,336 ---- - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; - -! status = val_add_cred_args(minor_status, -! input_cred_handle, -! desired_name, -! desired_mech, -! cred_usage, -! initiator_time_req, -! acceptor_time_req, -! output_cred_handle, -! actual_mechs, -! initiator_time_rec, -! acceptor_time_rec); -! if (status != GSS_S_COMPLETE) -! return (status); - - mech = gssint_get_mechanism(desired_mech); - if (!mech) -Index: src/lib/gssapi/mechglue/g_dsp_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_dsp_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_dsp_name.c (working copy) -*************** -*** 34,39 **** ---- 34,75 ---- - #endif - #include - -+ static OM_uint32 -+ val_dsp_name_args( -+ OM_uint32 *minor_status, -+ gss_name_t input_name, -+ gss_buffer_t output_name_buffer, -+ gss_OID *output_name_type) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_name_buffer != GSS_C_NO_BUFFER) { -+ output_name_buffer->length = 0; -+ output_name_buffer->value = NULL; -+ } -+ -+ if (output_name_type != NULL) -+ *output_name_type = GSS_C_NO_OID; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (output_name_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_name == GSS_C_NO_NAME) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_display_name (minor_status, - input_name, -*************** -*** 48,66 **** - { - OM_uint32 major_status; - gss_union_name_t union_name; -- -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; -- -- if (input_name == 0) -- return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -- -- if (output_name_buffer == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! if (output_name_type) -! *output_name_type = NULL; - - union_name = (gss_union_name_t) input_name; - ---- 84,94 ---- - { - OM_uint32 major_status; - gss_union_name_t union_name; - -! major_status = val_dsp_name_args(minor_status, input_name, -! output_name_buffer, output_name_type); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - - union_name = (gss_union_name_t) input_name; - -Index: src/lib/gssapi/mechglue/g_unseal.c -=================================================================== -*** src/lib/gssapi/mechglue/g_unseal.c (revision 18858) ---- src/lib/gssapi/mechglue/g_unseal.c (working copy) -*************** -*** 49,69 **** - gss_union_ctx_id_t ctx; - gss_mechanism mech; - - if (minor_status == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; - - if (context_handle == GSS_C_NO_CONTEXT) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -! if (GSS_EMPTY_BUFFER(input_message_buffer)) - return (GSS_S_CALL_INACCESSIBLE_READ); - -! if (output_message_buffer == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -- -- output_message_buffer->length = 0; -- output_message_buffer->value = NULL; - - /* - * select the approprate underlying mechanism routine and ---- 49,75 ---- - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_message_buffer != GSS_C_NO_BUFFER) { -+ output_message_buffer->length = 0; -+ output_message_buffer->value = NULL; -+ } -+ - if (minor_status == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - if (context_handle == GSS_C_NO_CONTEXT) - return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -! if (input_message_buffer == GSS_C_NO_BUFFER || -! GSS_EMPTY_BUFFER(input_message_buffer)) -! - return (GSS_S_CALL_INACCESSIBLE_READ); - -! if (output_message_buffer == GSS_C_NO_BUFFER) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - /* - * select the approprate underlying mechanism routine and -Index: src/lib/gssapi/mechglue/g_dup_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_dup_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_dup_name.c (working copy) -*************** -*** 19,24 **** ---- 19,55 ---- - #include - #include - -+ static OM_uint32 -+ val_dup_name_args( -+ OM_uint32 *minor_status, -+ const gss_name_t src_name, -+ gss_name_t *dest_name) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (dest_name != NULL) -+ *dest_name = GSS_C_NO_NAME; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ /* if output_name is NULL, simply return */ -+ if (dest_name == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (src_name == GSS_C_NO_NAME) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_duplicate_name(minor_status, - src_name, -*************** -*** 30,49 **** - gss_union_name_t src_union, dest_union; - OM_uint32 major_status = GSS_S_FAILURE; - -! -! if (!minor_status) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! -! *minor_status = 0; -! -! /* if output_name is NULL, simply return */ -! if (dest_name == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_BAD_NAME); -! -! *dest_name = 0; -! -! if (src_name == NULL) -! return (GSS_S_CALL_INACCESSIBLE_READ); - - src_union = (gss_union_name_t)src_name; - ---- 61,69 ---- - gss_union_name_t src_union, dest_union; - OM_uint32 major_status = GSS_S_FAILURE; - -! major_status = val_dup_name_args(minor_status, src_name, dest_name); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - - src_union = (gss_union_name_t)src_name; - -Index: src/lib/gssapi/mechglue/g_dsp_status.c -=================================================================== -*** src/lib/gssapi/mechglue/g_dsp_status.c (revision 18858) ---- src/lib/gssapi/mechglue/g_dsp_status.c (working copy) -*************** -*** 54,70 **** - gss_OID mech_type = (gss_OID) req_mech_type; - gss_mechanism mech; - -! /* check the input parameters */ -! if (!minor_status) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! *minor_status = 0; - -! if (!message_context || status_string == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! status_string->length = 0; -! status_string->value = NULL; - - /* we handle major status codes, and the mechs do the minor */ - if (status_type == GSS_C_GSS_CODE) ---- 54,72 ---- - gss_OID mech_type = (gss_OID) req_mech_type; - gss_mechanism mech; - -! if (minor_status != NULL) -! *minor_status = 0; - -! if (status_string != GSS_C_NO_BUFFER) { -! status_string->length = 0; -! status_string->value = NULL; -! } - -! if (minor_status == NULL || -! message_context == NULL || -! status_string == GSS_C_NO_BUFFER) - -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - - /* we handle major status codes, and the mechs do the minor */ - if (status_type == GSS_C_GSS_CODE) -Index: src/lib/gssapi/mechglue/g_inq_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_inq_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_inq_context.c (working copy) -*************** -*** 31,36 **** ---- 31,75 ---- - #include - #endif - -+ static OM_uint32 -+ val_inq_ctx_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, -+ gss_name_t *src_name, -+ gss_name_t *targ_name, -+ OM_uint32 *lifetime_rec, -+ gss_OID *mech_type, -+ OM_uint32 *ctx_flags, -+ int *locally_initiated, -+ int *open) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ -+ if (targ_name != NULL) -+ *targ_name = GSS_C_NO_NAME; -+ -+ if (mech_type != NULL) -+ *mech_type = GSS_C_NO_OID; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - /* Last argument new for V2 */ - OM_uint32 KRB5_CALLCONV - gss_inquire_context( -*************** -*** 60,85 **** - gss_mechanism mech; - OM_uint32 status, temp_minor; - gss_name_t localTargName = NULL, localSourceName = NULL; -- -- if (!minor_status) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); - -! *minor_status = 0; -! -! /* if the context_handle is Null, return NO_CONTEXT error */ -! if (context_handle == GSS_C_NO_CONTEXT) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - -- /* set all output value to NULL */ -- if (src_name) -- *src_name = NULL; -- -- if (targ_name) -- *targ_name = NULL; -- -- if (mech_type) -- *mech_type = NULL; -- - /* - * select the approprate underlying mechanism routine and - * call it. ---- 99,114 ---- - gss_mechanism mech; - OM_uint32 status, temp_minor; - gss_name_t localTargName = NULL, localSourceName = NULL; - -! status = val_inq_ctx_args(minor_status, -! context_handle, -! src_name, targ_name, -! lifetime_rec, -! mech_type, ctx_flags, -! locally_initiated, open); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * select the approprate underlying mechanism routine and - * call it. -Index: src/lib/gssapi/mechglue/g_accept_sec_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_accept_sec_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_accept_sec_context.c (working copy) -*************** -*** 33,38 **** ---- 33,90 ---- - #include - #include - -+ static OM_uint32 -+ val_acc_sec_ctx_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_cred_id_t verifier_cred_handle, -+ gss_buffer_t input_token_buffer, -+ gss_channel_bindings_t input_chan_bindings, -+ gss_name_t *src_name, -+ gss_OID *mech_type, -+ gss_buffer_t output_token, -+ OM_uint32 *ret_flags, -+ OM_uint32 *time_rec, -+ gss_cred_id_t *d_cred) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (src_name != NULL) -+ *src_name = GSS_C_NO_NAME; -+ -+ if (mech_type != NULL) -+ *mech_type = GSS_C_NO_OID; -+ -+ if (output_token != GSS_C_NO_BUFFER) { -+ output_token->length = 0; -+ output_token->value = NULL; -+ } -+ -+ if (d_cred != NULL) -+ *d_cred = GSS_C_NO_CREDENTIAL; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_token_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ); -+ -+ if (output_token == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_accept_sec_context (minor_status, - context_handle, -*************** -*** 69,94 **** - gss_OID_desc token_mech_type_desc; - gss_OID token_mech_type = &token_mech_type_desc; - gss_mechanism mech; -- -- /* check parameters first */ -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; -- -- if (context_handle == NULL || output_token == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- -- /* clear optional fields */ -- output_token->value = NULL; -- output_token->length = 0; -- if (src_name) -- *src_name = NULL; - -! if (mech_type) -! *mech_type = NULL; - -- if (d_cred) -- *d_cred = NULL; - /* - * if context_handle is GSS_C_NO_CONTEXT, allocate a union context - * descriptor to hold the mech type information as well as the ---- 121,141 ---- - gss_OID_desc token_mech_type_desc; - gss_OID token_mech_type = &token_mech_type_desc; - gss_mechanism mech; - -! status = val_acc_sec_ctx_args(minor_status, -! context_handle, -! verifier_cred_handle, -! input_token_buffer, -! input_chan_bindings, -! src_name, -! mech_type, -! output_token, -! ret_flags, -! time_rec, -! d_cred); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * if context_handle is GSS_C_NO_CONTEXT, allocate a union context - * descriptor to hold the mech type information as well as the -Index: src/lib/gssapi/mechglue/g_sign.c -=================================================================== -*** src/lib/gssapi/mechglue/g_sign.c (revision 18858) ---- src/lib/gssapi/mechglue/g_sign.c (working copy) -*************** -*** 28,33 **** ---- 28,70 ---- - - #include "mglueP.h" - -+ static OM_uint32 -+ val_sign_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t context_handle, -+ int qop_req, -+ gss_buffer_t message_buffer, -+ gss_buffer_t msg_token) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (msg_token != GSS_C_NO_BUFFER) { -+ msg_token->value = NULL; -+ msg_token->length = 0; -+ } -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -+ -+ if (message_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ); -+ -+ if (msg_token == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_sign (minor_status, - context_handle, -*************** -*** 46,66 **** - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (context_handle == GSS_C_NO_CONTEXT) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); -! -! if (message_buffer == NULL) -! return (GSS_S_CALL_INACCESSIBLE_READ); -! -! if (msg_token == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - -- msg_token->value = NULL; -- msg_token->length = 0; - /* - * select the approprate underlying mechanism routine and - * call it. ---- 83,93 ---- - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -! status = val_sign_args(minor_status, context_handle, -! qop_req, message_buffer, msg_token); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * select the approprate underlying mechanism routine and - * call it. -Index: src/lib/gssapi/mechglue/g_delete_sec_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_delete_sec_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_delete_sec_context.c (working copy) -*************** -*** 32,37 **** ---- 32,66 ---- - #include - #endif - -+ static OM_uint32 -+ val_del_sec_ctx_args( -+ OM_uint32 *minor_status, -+ gss_ctx_id_t *context_handle, -+ gss_buffer_t output_token) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_token != GSS_C_NO_BUFFER) { -+ output_token->length = 0; -+ output_token->value = NULL; -+ } -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_delete_sec_context (minor_status, - context_handle, -*************** -*** 45,62 **** - OM_uint32 status; - gss_union_ctx_id_t ctx; - gss_mechanism mech; -- -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- -- if (output_token != GSS_C_NO_BUFFER) { -- output_token->length = 0; -- output_token->value = NULL; -- } - -! /* if the context_handle is Null, return NO_CONTEXT error */ -! if(context_handle == NULL || *context_handle == GSS_C_NO_CONTEXT) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_NO_CONTEXT); - - /* - * select the approprate underlying mechanism routine and ---- 74,83 ---- - OM_uint32 status; - gss_union_ctx_id_t ctx; - gss_mechanism mech; - -! status = val_del_sec_ctx_args(minor_status, context_handle, output_token); -! if (status != GSS_S_COMPLETE) -! return (status); - - /* - * select the approprate underlying mechanism routine and -Index: src/lib/gssapi/mechglue/g_init_sec_context.c -=================================================================== -*** src/lib/gssapi/mechglue/g_init_sec_context.c (revision 18858) ---- src/lib/gssapi/mechglue/g_init_sec_context.c (working copy) -*************** -*** 33,38 **** ---- 33,86 ---- - #endif - #include - -+ static OM_uint32 -+ val_init_sec_ctx_args( -+ OM_uint32 *minor_status, -+ gss_cred_id_t claimant_cred_handle, -+ gss_ctx_id_t *context_handle, -+ gss_name_t target_name, -+ gss_OID req_mech_type, -+ OM_uint32 req_flags, -+ OM_uint32 time_req, -+ gss_channel_bindings_t input_chan_bindings, -+ gss_buffer_t input_token, -+ gss_OID *actual_mech_type, -+ gss_buffer_t output_token, -+ OM_uint32 *ret_flags, -+ OM_uint32 *time_rec) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (actual_mech_type != NULL) -+ *actual_mech_type = GSS_C_NO_OID; -+ -+ if (output_token != GSS_C_NO_BUFFER) { -+ output_token->length = 0; -+ output_token->value = NULL; -+ } -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (context_handle == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); -+ -+ if (target_name == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ if (output_token == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_init_sec_context (minor_status, - claimant_cred_handle, -*************** -*** 72,101 **** - gss_mechanism mech; - gss_cred_id_t input_cred_handle; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! output_token->length = 0; -! output_token->value = NULL; -! -! /* clear output values */ -! if (actual_mech_type) -! *actual_mech_type = NULL; -! -! if (context_handle == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CONTEXT); -! -! union_name = (gss_union_name_t) target_name; -! -! if (target_name == NULL) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -! -! if (output_token == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! -! output_token->value = NULL; -! output_token->length = 0; -! - - if (req_mech_type) - mech_type = (gss_OID)req_mech_type; ---- 120,140 ---- - gss_mechanism mech; - gss_cred_id_t input_cred_handle; - -! status = val_init_sec_ctx_args(minor_status, -! claimant_cred_handle, -! context_handle, -! target_name, -! req_mech_type, -! req_flags, -! time_req, -! input_chan_bindings, -! input_token, -! actual_mech_type, -! output_token, -! ret_flags, -! time_rec); -! if (status != GSS_S_COMPLETE) -! return (status); - - if (req_mech_type) - mech_type = (gss_OID)req_mech_type; -Index: src/lib/gssapi/mechglue/g_inq_cred.c -=================================================================== -*** src/lib/gssapi/mechglue/g_inq_cred.c (revision 18858) ---- src/lib/gssapi/mechglue/g_inq_cred.c (working copy) -*************** -*** 55,71 **** - gss_mechanism mech; - gss_name_t internal_name; - int i; -- -- /* check parms and set to defaults */ -- if (minor_status == NULL) -- return (GSS_S_CALL_INACCESSIBLE_WRITE); -- *minor_status = 0; - -! if (name) -! *name = NULL; - -! if (mechanisms) -! *mechanisms = NULL; - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - /* ---- 55,75 ---- - gss_mechanism mech; - gss_name_t internal_name; - int i; - -! /* Initialize outputs. */ -! -! if (minor_status != NULL) -! *minor_status = 0; -! -! if (name != NULL) -! *name = GSS_C_NO_NAME; -! -! if (mechanisms != NULL) -! *mechanisms = GSS_C_NO_OID_SET; - -! /* Validate arguments. */ -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - - if (cred_handle == GSS_C_NO_CREDENTIAL) { - /* -*************** -*** 216,221 **** ---- 220,233 ---- - OM_uint32 status, temp_minor_status; - gss_name_t internal_name; - -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (name != NULL) -+ *name = GSS_C_NO_NAME; -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); - - mech = gssint_get_mechanism (mech_type); - if (!mech) -Index: src/lib/gssapi/mechglue/g_imp_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_imp_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_imp_name.c (working copy) -*************** -*** 38,43 **** ---- 38,77 ---- - /* local function to import GSS_C_EXPORT_NAME names */ - static OM_uint32 importExportName(OM_uint32 *, gss_union_name_t); - -+ static OM_uint32 -+ val_imp_name_args( -+ OM_uint32 *minor_status, -+ gss_buffer_t input_name_buffer, -+ gss_OID input_name_type, -+ gss_name_t *output_name) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ if (output_name != NULL) -+ *output_name = GSS_C_NO_NAME; -+ -+ /* Validate arguments. */ -+ -+ if (minor_status == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (output_name == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ if (input_name_buffer == GSS_C_NO_BUFFER) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ if (GSS_EMPTY_BUFFER(input_name_buffer)) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_import_name(minor_status, - input_name_buffer, -*************** -*** 53,74 **** - gss_union_name_t union_name; - OM_uint32 tmp, major_status = GSS_S_FAILURE; - -! /* check output parameters */ -! if (!minor_status) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! -! *minor_status = 0; -! -! if (output_name == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! -! *output_name = 0; -! -! if (input_name_buffer == GSS_C_NO_BUFFER) -! return (GSS_S_BAD_NAME); -! -! if (GSS_EMPTY_BUFFER(input_name_buffer)) -! return (GSS_S_BAD_NAME); - - /* - * First create the union name struct that will hold the external ---- 87,97 ---- - gss_union_name_t union_name; - OM_uint32 tmp, major_status = GSS_S_FAILURE; - -! major_status = val_imp_name_args(minor_status, -! input_name_buffer, input_name_type, -! output_name); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - - /* - * First create the union name struct that will hold the external -Index: src/lib/gssapi/mechglue/g_compare_name.c -=================================================================== -*** src/lib/gssapi/mechglue/g_compare_name.c (revision 18858) ---- src/lib/gssapi/mechglue/g_compare_name.c (working copy) -*************** -*** 33,38 **** ---- 33,63 ---- - #endif - #include - -+ static OM_uint32 -+ val_comp_name_args( -+ OM_uint32 *minor_status, -+ gss_name_t name1, -+ gss_name_t name2, -+ int *name_equal) -+ { -+ -+ /* Initialize outputs. */ -+ -+ if (minor_status != NULL) -+ *minor_status = 0; -+ -+ /* Validate arguments. */ -+ -+ if (name1 == GSS_C_NO_NAME || name2 == GSS_C_NO_NAME) -+ return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -+ -+ if (name_equal == NULL) -+ return (GSS_S_CALL_INACCESSIBLE_WRITE); -+ -+ return (GSS_S_COMPLETE); -+ } -+ -+ - OM_uint32 KRB5_CALLCONV - gss_compare_name (minor_status, - name1, -*************** -*** 50,64 **** - gss_mechanism mech; - gss_name_t internal_name; - -! if (minor_status == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); -! *minor_status = 0; -! -! if (name1 == 0 || name2 == 0) -! return (GSS_S_CALL_INACCESSIBLE_READ | GSS_S_BAD_NAME); -! -! if (name_equal == NULL) -! return (GSS_S_CALL_INACCESSIBLE_WRITE); - - union_name1 = (gss_union_name_t) name1; - union_name2 = (gss_union_name_t) name2; ---- 75,84 ---- - gss_mechanism mech; - gss_name_t internal_name; - -! major_status = val_comp_name_args(minor_status, -! name1, name2, name_equal); -! if (major_status != GSS_S_COMPLETE) -! return (major_status); - - union_name1 = (gss_union_name_t) name1; - union_name2 = (gss_union_name_t) name2; -Index: src/lib/gssapi/mechglue/oid_ops.c -=================================================================== -*** src/lib/gssapi/mechglue/oid_ops.c (revision 18858) ---- src/lib/gssapi/mechglue/oid_ops.c (working copy) -*************** -*** 49,55 **** - if (minor_status) - *minor_status = 0; - -! if (*oid == GSS_C_NO_OID) - return(GSS_S_COMPLETE); - - /* ---- 49,55 ---- - if (minor_status) - *minor_status = 0; - -! if (oid == NULL || *oid == GSS_C_NO_OID) - return(GSS_S_COMPLETE); - - /* -*************** -*** 227,238 **** - unsigned char *cp; - char *bp; - -! *minor_status = 0; - - if (oid == NULL || oid->length == 0 || oid->elements == NULL) - return (GSS_S_CALL_INACCESSIBLE_READ); - -! if (oid_str == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - /* Decoded according to krb5/gssapi_krb5.c */ ---- 227,244 ---- - unsigned char *cp; - char *bp; - -! if (minor_status != NULL) -! *minor_status = 0; -! -! if (oid_str != GSS_C_NO_BUFFER) { -! oid_str->length = 0; -! oid_str->value = NULL; -! } - - if (oid == NULL || oid->length == 0 || oid->elements == NULL) - return (GSS_S_CALL_INACCESSIBLE_READ); - -! if (oid_str == GSS_C_NO_BUFFER) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - /* Decoded according to krb5/gssapi_krb5.c */ -*************** -*** 307,313 **** - int index; - unsigned char *op; - -! *minor_status = 0; - - if (GSS_EMPTY_BUFFER(oid_str)) - return (GSS_S_CALL_INACCESSIBLE_READ); ---- 313,323 ---- - int index; - unsigned char *op; - -! if (minor_status != NULL) -! *minor_status = 0; -! -! if (oid != NULL) -! *oid = GSS_C_NO_OID; - - if (GSS_EMPTY_BUFFER(oid_str)) - return (GSS_S_CALL_INACCESSIBLE_READ); -*************** -*** 458,473 **** - OM_uint32 major = GSS_S_COMPLETE; - OM_uint32 index; - -! if (minor_status) - *minor_status = 0; - -! if (oidset == NULL) - return (GSS_S_CALL_INACCESSIBLE_READ); - - if (new_oidset == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); -- -- *new_oidset = NULL; - - if ((copy = (gss_OID_set_desc *) calloc(1, sizeof (*copy))) == NULL) { - major = GSS_S_FAILURE; ---- 468,484 ---- - OM_uint32 major = GSS_S_COMPLETE; - OM_uint32 index; - -! if (minor_status != NULL) - *minor_status = 0; - -! if (new_oidset != NULL) -! *new_oidset = GSS_C_NO_OID_SET; -! -! if (oidset == GSS_C_NO_OID_SET) - return (GSS_S_CALL_INACCESSIBLE_READ); - - if (new_oidset == NULL) - return (GSS_S_CALL_INACCESSIBLE_WRITE); - - if ((copy = (gss_OID_set_desc *) calloc(1, sizeof (*copy))) == NULL) { - major = GSS_S_FAILURE; -Index: src/kadmin/server/ovsec_kadmd.c -=================================================================== -*** src/kadmin/server/ovsec_kadmd.c (revision 18858) ---- src/kadmin/server/ovsec_kadmd.c (working copy) -*************** -*** 993,998 **** ---- 993,1003 ---- - int i; - const char *procname; - -+ client.length = 0; -+ client.value = NULL; -+ server.length = 0; -+ server.value = NULL; -+ - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); - if (client.value == NULL) diff --git a/CVE-2007-3999-2.patch b/CVE-2007-3999-2.patch deleted file mode 100644 index 3ef2e7e..0000000 --- a/CVE-2007-3999-2.patch +++ /dev/null @@ -1,30 +0,0 @@ -*** src/lib/rpc/svc_auth_gss.c (revision 20474) ---- src/lib/rpc/svc_auth_gss.c (local) -*************** -*** 355,360 **** ---- 355,369 ---- - memset(rpchdr, 0, sizeof(rpchdr)); - - /* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */ -+ oa = &msg->rm_call.cb_cred; -+ if (oa->oa_length > MAX_AUTH_BYTES) -+ return (FALSE); -+ -+ /* 8 XDR units from the IXDR macro calls. */ -+ if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT + -+ RNDUP(oa->oa_length))) -+ return (FALSE); -+ - buf = (int32_t *)(void *)rpchdr; - IXDR_PUT_LONG(buf, msg->rm_xid); - IXDR_PUT_ENUM(buf, msg->rm_direction); -*************** -*** 362,368 **** - IXDR_PUT_LONG(buf, msg->rm_call.cb_prog); - IXDR_PUT_LONG(buf, msg->rm_call.cb_vers); - IXDR_PUT_LONG(buf, msg->rm_call.cb_proc); -- oa = &msg->rm_call.cb_cred; - IXDR_PUT_ENUM(buf, oa->oa_flavor); - IXDR_PUT_LONG(buf, oa->oa_length); - if (oa->oa_length) { ---- 371,376 ---- diff --git a/CVE-2007-4000.patch b/CVE-2007-4000.patch deleted file mode 100644 index e01e4f8..0000000 --- a/CVE-2007-4000.patch +++ /dev/null @@ -1,22 +0,0 @@ -*** src/lib/kadm5/srv/svr_policy.c (revision 20254) ---- src/lib/kadm5/srv/svr_policy.c (local) -*************** -*** 211,218 **** - if((mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - -! ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt); -! if( ret && (cnt==0) ) - return KADM5_UNK_POLICY; - - if ((mask & KADM5_PW_MAX_LIFE)) ---- 211,219 ---- - if((mask & KADM5_POLICY)) - return KADM5_BAD_MASK; - -! if ((ret = krb5_db_get_policy(handle->context, entry->policy, &p, &cnt))) -! return ret; -! if (cnt != 1) - return KADM5_UNK_POLICY; - - if ((mask & KADM5_PW_MAX_LIFE)) diff --git a/krb5-1.3.3-rcp-markus.patch b/krb5-1.3.3-rcp-markus.patch deleted file mode 100644 index 8ef0233..0000000 --- a/krb5-1.3.3-rcp-markus.patch +++ /dev/null @@ -1,46 +0,0 @@ -Fix for CAN-2004-0175, based on Markus Friedl's fix for OpenSSH scp. - ---- krb5-1.3.3/src/appl/bsd/krcp.c 2003-05-12 18:20:15.000000000 -0400 -+++ krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-13 12:01:31.000000000 -0400 -@@ -1088,6 +1088,10 @@ - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); -+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ error("error: unexpected filename: %s", cp); -+ exit(1); -+ } - if (targisdir) { - if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf)) - SCREWUP("target name too long"); -@@ -1101,6 +1105,8 @@ - nambuf[sizeof(nambuf) - 1] = '\0'; - exists = stat(nambuf, &stb) == 0; - if (cmdbuf[0] == 'D') { -+ if (!iamrecursive) -+ SCREWUP("received directory without -r"); - if (exists) { - if ((stb.st_mode&S_IFMT) != S_IFDIR) { - errno = ENOTDIR; ---- krb5-1.3.3/src/appl/bsd/v4rcp.c 2002-07-12 16:21:31.000000000 -0400 -+++ krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-13 12:01:53.000000000 -0400 -@@ -801,6 +801,10 @@ - size = size * 10 + (*cp++ - '0'); - if (*cp++ != ' ') - SCREWUP("size not delimited"); -+ if ((strchr(cp, '/') != NULL) || (strcmp(cp, "..") == 0)) { -+ error("error: unexpected filename: %s", cp); -+ exit(1); -+ } - if (targisdir) { - if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) { - (void) sprintf(nambuf, "%s%s%s", targ, -@@ -817,6 +821,8 @@ - nambuf[sizeof(nambuf)-1] = '\0'; - exists = stat(nambuf, &stb) == 0; - if (cmdbuf[0] == 'D') { -+ if (!iamrecursive) -+ SCREWUP("received directory without -r"); - if (exists) { - if ((stb.st_mode&S_IFMT) != S_IFDIR) { - errno = ENOTDIR; diff --git a/krb5-1.3.3-rcp-sendlarge.patch b/krb5-1.3.3-rcp-sendlarge.patch deleted file mode 100644 index 038e6d5..0000000 --- a/krb5-1.3.3-rcp-sendlarge.patch +++ /dev/null @@ -1,47 +0,0 @@ -Fix sending of large files. This isn't *quite* right, because we still have to -open the file right to avoid EFBIG errors, and this patch doesn't fix that. -Either we build with -D_FILE_OFFSET_BITS=64, change open() to open64(), or -pass O_LARGEFILE to open(), none of which are easy to automate. - ---- krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-15 00:40:00.000000000 -0400 -+++ krb5-1.3.3/src/appl/bsd/krcp.c 2004-04-15 00:55:38.000000000 -0400 -@@ -819,8 +819,13 @@ - continue; - } - } -+#ifdef HAVE_LONG_LONG -+ (void) sprintf(buf, "C%04o %lld %s\n", -+ (int) stb.st_mode&07777, (long long) stb.st_size, last); -+#else - (void) sprintf(buf, "C%04o %ld %s\n", - (int) stb.st_mode&07777, (long ) stb.st_size, last); -+#endif - (void) rcmd_stream_write(rem, buf, strlen(buf), 0); - if (response() < 0) { - (void) close(f); ---- krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-15 00:40:28.000000000 -0400 -+++ krb5-1.3.3/src/appl/bsd/v4rcp.c 2004-04-15 00:46:57.000000000 -0400 -@@ -538,8 +538,13 @@ - continue; - } - } -+#ifdef HAVE_LONG_LONG -+ (void) sprintf(buf, "C%04o %lld %s\n", -+ (unsigned int) stb.st_mode&07777, (long long) stb.st_size, last); -+#else - (void) sprintf(buf, "C%04o %ld %s\n", - (unsigned int) stb.st_mode&07777, (long) stb.st_size, last); -+#endif - kstream_write (krem, buf, strlen (buf)); - if (response() < 0) { - (void) close(f); ---- krb5-1.3.3/src/appl/bsd/configure.in 2004-04-15 00:52:22.000000000 -0400 -+++ krb5-1.3.3/src/appl/bsd/configure.in 2004-04-15 00:52:16.000000000 -0400 -@@ -77,6 +77,7 @@ - AC_TYPE_MODE_T - AC_CHECK_FUNCS(isatty inet_aton getenv gettosbyname killpg initgroups setpriority setreuid setresuid waitpid setsid ptsname setlogin tcgetpgrp tcsetpgrp setpgid strsave utimes rmufile rresvport_af) - AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h utmp.h sys/time.h krb4-proto.h sys/ioctl_compat.h paths.h arpa/nameser.h) -+AC_CHECK_TYPES([long long]) - AC_HEADER_STDARG - AC_REPLACE_FUNCS(getdtablesize) - dnl diff --git a/krb5-1.3.5-kprop-mktemp.patch b/krb5-1.3.5-kprop-mktemp.patch deleted file mode 100644 index 6fe5896..0000000 --- a/krb5-1.3.5-kprop-mktemp.patch +++ /dev/null @@ -1,41 +0,0 @@ -Use an in-memory ccache to silence a compiler warning. ---- krb5-1.3.5/src/slave/kprop.c 2004-11-17 12:18:48.000000000 -0500 -+++ krb5-1.3.5/src/slave/kprop.c 2004-11-17 13:42:31.926487217 -0500 -@@ -211,9 +211,8 @@ - void get_tickets(context) - krb5_context context; - { -- char buf[BUFSIZ]; - krb5_error_code retval; -- static char tkstring[] = "/tmp/kproptktXXXXXX"; -+ char tkstring[] = "MEMORY:_kproptkt"; - krb5_keytab keytab = NULL; - - /* -@@ -238,22 +237,19 @@ - #endif - - /* -- * Initialize cache file which we're going to be using -+ * Initialize an in-memory cache for temporary use - */ -- (void) mktemp(tkstring); -- sprintf(buf, "FILE:%s", tkstring); -- -- retval = krb5_cc_resolve(context, buf, &ccache); -+ retval = krb5_cc_resolve(context, tkstring, &ccache); - if (retval) { - com_err(progname, retval, "while opening credential cache %s", -- buf); -+ tkstring); - exit(1); - } - - retval = krb5_cc_initialize(context, ccache, my_principal); - if (retval) { - com_err (progname, retval, "when initializing cache %s", -- buf); -+ tkstring); - exit(1); - } - diff --git a/krb5-1.4-ktany.patch b/krb5-1.4-ktany.patch deleted file mode 100644 index dc39a63..0000000 --- a/krb5-1.4-ktany.patch +++ /dev/null @@ -1,344 +0,0 @@ ---- krb5-1.4/src/lib/krb5/keytab/ktbase.c.ktany 2004-05-27 23:44:32.000000000 -0400 -+++ krb5-1.4/src/lib/krb5/keytab/ktbase.c 2005-02-18 11:01:18.000000000 -0500 -@@ -34,14 +34,19 @@ - extern const krb5_kt_ops krb5_ktf_ops; - extern const krb5_kt_ops krb5_ktf_writable_ops; - extern const krb5_kt_ops krb5_kts_ops; -+extern const krb5_kt_ops krb5_kta_ops; - - struct krb5_kt_typelist { - const krb5_kt_ops *ops; - const struct krb5_kt_typelist *next; - }; -+static struct krb5_kt_typelist krb5_kt_typelist_any = { -+ &krb5_kta_ops, -+ 0 -+}; - const static struct krb5_kt_typelist krb5_kt_typelist_wrfile = { - &krb5_ktf_writable_ops, -- 0 -+ &krb5_kt_typelist_any - }; - const static struct krb5_kt_typelist krb5_kt_typelist_file = { - &krb5_ktf_ops, ---- /dev/null 2005-02-18 05:27:12.242575752 -0500 -+++ krb5-1.4/src/lib/krb5/keytab/kt_any.c 2005-02-18 10:38:09.000000000 -0500 -@@ -0,0 +1,292 @@ -+/* -+ * lib/krb5/keytab/kt_any.c -+ * -+ * Copyright 1998, 1999 by the Massachusetts Institute of Technology. -+ * All Rights Reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * -+ * krb5_kta_ops -+ */ -+ -+#include "k5-int.h" -+ -+typedef struct _krb5_ktany_data { -+ char *name; -+ krb5_keytab *choices; -+ int nchoices; -+} krb5_ktany_data; -+ -+typedef struct _krb5_ktany_cursor_data { -+ int which; -+ krb5_kt_cursor cursor; -+} krb5_ktany_cursor_data; -+ -+static krb5_error_code krb5_ktany_resolve -+ (krb5_context, -+ const char *, -+ krb5_keytab *); -+static krb5_error_code krb5_ktany_get_name -+ (krb5_context context, -+ krb5_keytab id, -+ char *name, -+ unsigned int len); -+static krb5_error_code krb5_ktany_close -+ (krb5_context context, -+ krb5_keytab id); -+static krb5_error_code krb5_ktany_get_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_const_principal principal, -+ krb5_kvno kvno, -+ krb5_enctype enctype, -+ krb5_keytab_entry *entry); -+static krb5_error_code krb5_ktany_start_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursorp); -+static krb5_error_code krb5_ktany_next_entry -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_keytab_entry *entry, -+ krb5_kt_cursor *cursor); -+static krb5_error_code krb5_ktany_end_seq_get -+ (krb5_context context, -+ krb5_keytab id, -+ krb5_kt_cursor *cursor); -+static void cleanup -+ (krb5_context context, -+ krb5_ktany_data *data, -+ int nchoices); -+ -+struct _krb5_kt_ops krb5_kta_ops = { -+ 0, -+ "ANY", /* Prefix -- this string should not appear anywhere else! */ -+ krb5_ktany_resolve, -+ krb5_ktany_get_name, -+ krb5_ktany_close, -+ krb5_ktany_get_entry, -+ krb5_ktany_start_seq_get, -+ krb5_ktany_next_entry, -+ krb5_ktany_end_seq_get, -+ 0, -+ 0, -+ 0 -+}; -+ -+static krb5_error_code -+krb5_ktany_resolve(context, name, id) -+ krb5_context context; -+ const char *name; -+ krb5_keytab *id; -+{ -+ const char *p, *q; -+ char *copy; -+ krb5_error_code kerror; -+ krb5_ktany_data *data; -+ int i; -+ -+ /* Allocate space for our data and remember a copy of the name. */ -+ if ((data = (krb5_ktany_data *)malloc(sizeof(krb5_ktany_data))) == NULL) -+ return(ENOMEM); -+ if ((data->name = (char *)malloc(strlen(name) + 1)) == NULL) { -+ krb5_xfree(data); -+ return(ENOMEM); -+ } -+ strcpy(data->name, name); -+ -+ /* Count the number of choices and allocate memory for them. */ -+ data->nchoices = 1; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) -+ data->nchoices++; -+ if ((data->choices = (krb5_keytab *) -+ malloc(data->nchoices * sizeof(krb5_keytab))) == NULL) { -+ krb5_xfree(data->name); -+ krb5_xfree(data); -+ return(ENOMEM); -+ } -+ -+ /* Resolve each of the choices. */ -+ i = 0; -+ for (p = name; (q = strchr(p, ',')) != NULL; p = q + 1) { -+ /* Make a copy of the choice name so we can terminate it. */ -+ if ((copy = (char *)malloc(q - p + 1)) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ memcpy(copy, p, q - p); -+ copy[q - p] = 0; -+ -+ /* Try resolving the choice name. */ -+ kerror = krb5_kt_resolve(context, copy, &data->choices[i]); -+ krb5_xfree(copy); -+ if (kerror) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ i++; -+ } -+ if ((kerror = krb5_kt_resolve(context, p, &data->choices[i]))) { -+ cleanup(context, data, i); -+ return(kerror); -+ } -+ -+ /* Allocate and fill in an ID for the caller. */ -+ if ((*id = (krb5_keytab)malloc(sizeof(**id))) == NULL) { -+ cleanup(context, data, i); -+ return(ENOMEM); -+ } -+ (*id)->ops = &krb5_kta_ops; -+ (*id)->data = (krb5_pointer)data; -+ (*id)->magic = KV5M_KEYTAB; -+ -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_name(context, id, name, len) -+ krb5_context context; -+ krb5_keytab id; -+ char *name; -+ unsigned int len; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ if (len < strlen(data->name) + 1) -+ return(KRB5_KT_NAME_TOOLONG); -+ strcpy(name, data->name); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_close(context, id) -+ krb5_context context; -+ krb5_keytab id; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ -+ cleanup(context, data, data->nchoices); -+ id->ops = 0; -+ krb5_xfree(id); -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_get_entry(context, id, principal, kvno, enctype, entry) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_const_principal principal; -+ krb5_kvno kvno; -+ krb5_enctype enctype; -+ krb5_keytab_entry *entry; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_error_code kerror = KRB5_KT_NOTFOUND; -+ int i; -+ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_get_entry(context, data->choices[i], principal, -+ kvno, enctype, entry)) != ENOENT) -+ return kerror; -+ } -+ return kerror; -+} -+ -+static krb5_error_code -+krb5_ktany_start_seq_get(context, id, cursorp) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursorp; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata; -+ krb5_error_code kerror = ENOENT; -+ int i; -+ -+ if ((cdata = (krb5_ktany_cursor_data *) -+ malloc(sizeof(krb5_ktany_cursor_data))) == NULL) -+ return(ENOMEM); -+ -+ /* Find a choice which can handle the serialization request. */ -+ for (i = 0; i < data->nchoices; i++) { -+ if ((kerror = krb5_kt_start_seq_get(context, data->choices[i], -+ &cdata->cursor)) == 0) -+ break; -+ else if (kerror != ENOENT) { -+ krb5_xfree(cdata); -+ return(kerror); -+ } -+ } -+ -+ if (i == data->nchoices) { -+ /* Everyone returned ENOENT, so no go. */ -+ krb5_xfree(cdata); -+ return(kerror); -+ } -+ -+ cdata->which = i; -+ *cursorp = (krb5_kt_cursor)cdata; -+ return(0); -+} -+ -+static krb5_error_code -+krb5_ktany_next_entry(context, id, entry, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_keytab_entry *entry; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ -+ choice_id = data->choices[cdata->which]; -+ return(krb5_kt_next_entry(context, choice_id, entry, &cdata->cursor)); -+} -+ -+static krb5_error_code -+krb5_ktany_end_seq_get(context, id, cursor) -+ krb5_context context; -+ krb5_keytab id; -+ krb5_kt_cursor *cursor; -+{ -+ krb5_ktany_data *data = (krb5_ktany_data *)id->data; -+ krb5_ktany_cursor_data *cdata = (krb5_ktany_cursor_data *)*cursor; -+ krb5_keytab choice_id; -+ krb5_error_code kerror; -+ -+ choice_id = data->choices[cdata->which]; -+ kerror = krb5_kt_end_seq_get(context, choice_id, &cdata->cursor); -+ krb5_xfree(cdata); -+ return(kerror); -+} -+ -+static void -+cleanup(context, data, nchoices) -+ krb5_context context; -+ krb5_ktany_data *data; -+ int nchoices; -+{ -+ int i; -+ -+ krb5_xfree(data->name); -+ for (i = 0; i < nchoices; i++) -+ krb5_kt_close(context, data->choices[i]); -+ krb5_xfree(data->choices); -+ krb5_xfree(data); -+} ---- krb5-1.4/src/lib/krb5/keytab/Makefile.in.ktany 2004-05-27 23:44:32.000000000 -0400 -+++ krb5-1.4/src/lib/krb5/keytab/Makefile.in 2005-02-18 10:38:09.000000000 -0500 -@@ -14,6 +14,7 @@ - ktfr_entry.o \ - ktremove.o \ - ktfns.o \ -+ kt_any.o \ - kt_file.o \ - kt_srvtab.o \ - read_servi.o -@@ -25,6 +26,7 @@ - $(OUTPRE)ktfr_entry.$(OBJEXT) \ - $(OUTPRE)ktremove.$(OBJEXT) \ - $(OUTPRE)ktfns.$(OBJEXT) \ -+ $(OUTPRE)kt_any.$(OBJEXT) \ - $(OUTPRE)kt_file.$(OBJEXT) \ - $(OUTPRE)kt_srvtab.$(OBJEXT) \ - $(OUTPRE)read_servi.$(OBJEXT) -@@ -36,6 +38,7 @@ - $(srcdir)/ktfr_entry.c \ - $(srcdir)/ktremove.c \ - $(srcdir)/ktfns.c \ -+ $(srcdir)/kt_any.c \ - $(srcdir)/kt_file.c \ - $(srcdir)/kt_srvtab.c \ - $(srcdir)/read_servi.c diff --git a/krb5-1.4.1-api.patch b/krb5-1.4.1-api.patch deleted file mode 100644 index d795f54..0000000 --- a/krb5-1.4.1-api.patch +++ /dev/null @@ -1,30 +0,0 @@ -Reference docs don't define what happens if you call krb5_realm_compare() with -malformed krb5_principal structures. Define a behavior which keeps it from -crashing if applications don't check ahead of time. - ---- krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2002-09-02 21:13:46.000000000 -0400 -+++ krb5-1.4.1/src/lib/krb5/krb/princ_comp.c 2005-06-29 13:56:55.000000000 -0400 -@@ -33,6 +33,13 @@ - krb5_boolean KRB5_CALLCONV - krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - { -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ -+ if ((krb5_princ_realm(context, princ1) == NULL) || -+ (krb5_princ_realm(context, princ2) == NULL)) -+ return FALSE; -+ - if (krb5_princ_realm(context, princ1)->length != - krb5_princ_realm(context, princ2)->length || - memcmp (krb5_princ_realm(context, princ1)->data, -@@ -49,6 +56,9 @@ - register int i; - krb5_int32 nelem; - -+ if ((princ1 == NULL) || (princ2 == NULL)) -+ return FALSE; -+ - nelem = krb5_princ_size(context, princ1); - if (nelem != krb5_princ_size(context, princ2)) - return FALSE; diff --git a/krb5-1.4.2-max_dgram_size.patch b/krb5-1.4.2-max_dgram_size.patch deleted file mode 100644 index 946c31a..0000000 --- a/krb5-1.4.2-max_dgram_size.patch +++ /dev/null @@ -1,30 +0,0 @@ ---- krb5-1.4.2/src/lib/krb5/os/osconfig.c 2000-10-17 19:01:32.000000000 -0400 -+++ krb5-1.4.2/src/lib/krb5/os/osconfig.c 2005-09-14 19:35:31.000000000 -0400 -@@ -36,7 +36,7 @@ - - char *krb5_defkeyname = DEFAULT_KEYTAB_NAME; - --unsigned int krb5_max_dgram_size = MAX_DGRAM_SIZE; -+unsigned int krb5_max_dgram_size = -1; - unsigned int krb5_max_skdc_timeout = MAX_SKDC_TIMEOUT; - unsigned int krb5_skdc_timeout_shift = SKDC_TIMEOUT_SHIFT; - unsigned int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1; ---- krb5-1.4.2/src/lib/krb5/os/sendto_kdc.c 2005-07-20 18:52:33.000000000 -0400 -+++ krb5-1.4.2/src/lib/krb5/os/sendto_kdc.c 2005-09-14 19:35:31.000000000 -0400 -@@ -1043,6 +1043,16 @@ - - dprint("krb5int_sendto(message=%d@%p)\n", message->length, message->data); - -+ if (krb5_max_dgram_size < 0) { -+ int tmp; -+ tmp = profile_get_integer(context->profile, -+ "libdefaults", "max_dgram_size", NULL, -+ MAX_DGRAM_SIZE, &krb5_max_dgram_size); -+ if ((tmp != 0) || (krb5_max_dgram_size < 0)) { -+ krb5_max_dgram_size = MAX_DGRAM_SIZE; -+ } -+ } -+ - reply->data = 0; - reply->length = 0; - diff --git a/krb5-1.4.3-enospc.patch b/krb5-1.4.3-enospc.patch deleted file mode 100644 index c5fcae9..0000000 --- a/krb5-1.4.3-enospc.patch +++ /dev/null @@ -1,30 +0,0 @@ -If the error message is going to be ambiguous, try to give the user some clue -by returning the last error reported by the OS. - ---- krb5-1.4.3/src/clients/kinit/kinit.c 2006-02-06 13:50:06.000000000 -0500 -+++ krb5-1.4.3/src/clients/kinit/kinit.c 2006-02-06 13:49:41.000000000 -0500 -@@ -34,6 +34,7 @@ - #else - #undef HAVE_KRB524 - #endif -+#include - #include - #include - #include -@@ -846,8 +847,14 @@ - - code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); - if (code) { -- com_err(progname, code, "when initializing cache %s", -- opts->k5_cache_name?opts->k5_cache_name:""); -+ if ((code == KRB5_CC_IO) && (errno != 0)) { -+ com_err(progname, code, "when initializing cache %s: %s", -+ opts->k5_cache_name?opts->k5_cache_name:"", -+ strerror(errno)); -+ } else { -+ com_err(progname, code, "when initializing cache %s", -+ opts->k5_cache_name?opts->k5_cache_name:""); -+ } - goto cleanup; - } - diff --git a/krb5-1.5-fclose.patch b/krb5-1.5-fclose.patch deleted file mode 100644 index 743b24a..0000000 --- a/krb5-1.5-fclose.patch +++ /dev/null @@ -1,40 +0,0 @@ -Ensure that we don't accidentally attempt to use or fclose() a file which we -have already fclose()d. - ---- krb5-1.5/src/lib/krb5/keytab/kt_file.c 2006-06-13 10:14:27.000000000 -0400 -+++ krb5-1.5/src/lib/krb5/keytab/kt_file.c 2006-07-05 14:55:11.000000000 -0400 -@@ -1083,29 +1083,32 @@ - if (writevno) { - kt_vno = htons(krb5_kt_default_vno); - KTVERSION(id) = krb5_kt_default_vno; - if (!xfwrite(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { -- kerror = errno; -+ kerror = errno ? errno : EIO; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); -+ KTFILEP(id) = 0; - return kerror; - } - } else { - /* gotta verify it instead... */ - if (!xfread(&kt_vno, sizeof(kt_vno), 1, KTFILEP(id))) { - if (feof(KTFILEP(id))) - kerror = KRB5_KEYTAB_BADVNO; - else -- kerror = errno; -+ kerror = errno ? errno : EIO; - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); -+ KTFILEP(id) = 0; - return kerror; - } - kt_vno = KTVERSION(id) = ntohs(kt_vno); - if ((kt_vno != KRB5_KT_VNO) && - (kt_vno != KRB5_KT_VNO_1)) { - (void) krb5_unlock_file(context, fileno(KTFILEP(id))); - (void) fclose(KTFILEP(id)); -+ KTFILEP(id) = 0; - return KRB5_KEYTAB_BADVNO; - } - } - return 0; diff --git a/krb5-1.5-io.patch b/krb5-1.5-io.patch deleted file mode 100644 index 474c0cf..0000000 --- a/krb5-1.5-io.patch +++ /dev/null @@ -1,251 +0,0 @@ -We can get stuck if a write is going to block because both ends are writing and -neither end is reading. This is a port of a patch which aims to solve that -problem, but for now it's incomplete because we don't handle partial writes. A -proper non-blocking implementation would require a bit more work. - -diff -ur krb5-1.5/src/appl/bsd/defines.h krb5-1.5/src/appl/bsd/defines.h ---- krb5-1.5/src/appl/bsd/defines.h 2003-01-01 05:13:20.000000000 -0500 -+++ krb5-1.5/src/appl/bsd/defines.h 2006-07-21 15:11:44.000000000 -0400 -@@ -34,6 +34,7 @@ - enum kcmd_proto *protonum /* input and output */ - ); - -+extern int rcmd_stream_has_unsent_data (void); - extern int rcmd_stream_read (int fd, char *buf, size_t len, int secondary); - extern int rcmd_stream_write (int fd, char *buf, size_t len, int secondary); - extern int getport (int * /* portnum */, int * /* addrfamily */); -diff -ur krb5-1.5/src/appl/bsd/kcmd.c krb5-1.5/src/appl/bsd/kcmd.c ---- krb5-1.5/src/appl/bsd/kcmd.c 2004-10-01 18:08:14.000000000 -0400 -+++ krb5-1.5/src/appl/bsd/kcmd.c 2006-07-21 15:11:44.000000000 -0400 -@@ -839,6 +839,11 @@ - output = twrite; - } - -+int rcmd_stream_has_unsent_data (void) -+{ -+ return (nstored > 0); -+} -+ - void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client, - protonum) - krb5_keyblock *in_keyblock; -@@ -1019,7 +1024,8 @@ - cc = krb5_net_read(bsd_context, fd, &c, 1); - /* we should check for non-blocking here, but we'd have - to make it save partial reads as well. */ -- if (cc <= 0) return cc; /* read error */ -+ if (cc == 0) return nreturned; /* EOF */ -+ if (cc < 0) return cc; /* read error */ - if (cc == 1) { - if (c == 0 || !do_lencheck) break; - } -diff -ur krb5-1.5/src/appl/bsd/krsh.c krb5-1.5/src/appl/bsd/krsh.c ---- krb5-1.5/src/appl/bsd/krsh.c 2006-07-21 16:05:57.000000000 -0400 -+++ krb5-1.5/src/appl/bsd/krsh.c 2006-07-21 15:19:05.000000000 -0400 -@@ -128,10 +128,11 @@ - char **argv0; - { - int rem, pid = 0; -- char *host=0, *cp, **ap, buf[RCMD_BUFSIZ], *args, **argv = argv0, *user = 0; -+ char *host=0, *cp, **ap, buf[PIPE_BUF], *args, **argv = argv0, *user = 0; - register int cc; - struct passwd *pwd; - fd_set readfrom, ready; -+ fd_set writeto, ready_wr; - int one = 1; - struct servent *sp; - struct servent defaultservent; -@@ -548,9 +549,14 @@ - FD_ZERO(&readfrom); - FD_SET(rfd2, &readfrom); - FD_SET(rem, &readfrom); -+ FD_ZERO(&writeto); - do { -+ int max_fd; -+ max_fd = (rfd2 > rem) ? rfd2 : rem; -+ max_fd = (max_fd > 2) ? max_fd : 2; - ready = readfrom; -- if (select(((rfd2 > rem) ? rfd2 : rem) + 1, &ready, 0, 0, 0) < 0) { -+ ready_wr = writeto; -+ if (select(max_fd + 1, &ready, &ready_wr, 0, 0) < 0) { - if (errno != EINTR) { - perror("select"); - exit(1); -@@ -558,22 +564,38 @@ - continue; - } - if (FD_ISSET(rfd2, &ready)) { -- errno = 0; -- cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1); -- if (cc <= 0) { -- if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) -- FD_CLR(rfd2, &readfrom); -- } else -- (void) write(2, buf, (unsigned) cc); -+ FD_SET(2, &writeto); -+ } -+ if (FD_ISSET(2, &ready_wr)) { -+ do { -+ errno = 0; -+ cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1); -+ if (cc <= 0) { -+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) { -+ FD_CLR(rfd2, &readfrom); -+ break; -+ } -+ } else -+ (void) write(2, buf, (unsigned) cc); -+ } while (rcmd_stream_has_unsent_data()); -+ FD_CLR(2, &writeto); - } - if (FD_ISSET(rem, &ready)) { -- errno = 0; -- cc = rcmd_stream_read(rem, buf, sizeof buf, 0); -- if (cc <= 0) { -- if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) -- FD_CLR(rem, &readfrom); -- } else -- (void) write(1, buf, (unsigned) cc); -+ FD_SET(1, &writeto); -+ } -+ if (FD_ISSET(1, &ready_wr)) { -+ do { -+ errno = 0; -+ cc = rcmd_stream_read(rem, buf, sizeof buf, 0); -+ if (cc <= 0) { -+ if ((errno != EWOULDBLOCK) && (errno != EAGAIN)) { -+ FD_CLR(rem, &readfrom); -+ break; -+ } -+ } else -+ (void) write(1, buf, (unsigned) cc); -+ } while (rcmd_stream_has_unsent_data()); -+ FD_CLR(1, &writeto); - } - } while (FD_ISSET(rem, &readfrom) || FD_ISSET(rfd2, &readfrom)); - if (nflag == 0) -diff -ur krb5-1.5/src/appl/bsd/krshd.c krb5-1.5/src/appl/bsd/krshd.c ---- krb5-1.5/src/appl/bsd/krshd.c 2006-06-20 00:06:52.000000000 -0400 -+++ krb5-1.5/src/appl/bsd/krshd.c 2006-07-21 16:02:12.000000000 -0400 -@@ -633,7 +633,8 @@ - short port; - int pv[2], pw[2], px[2], cc; - fd_set ready, readfrom; -- char buf[RCMD_BUFSIZ], sig; -+ fd_set ready_wr, writeto; -+ char buf[PIPE_BUF], sig; - struct sockaddr_storage localaddr; - #ifdef POSIX_SIGNALS - struct sigaction sa; -@@ -1261,6 +1262,10 @@ - if (pw[0] > maxfd) - maxfd = pw[0]; - -+ if (px[1] > maxfd) -+ maxfd = px[1]; -+ FD_ZERO(&writeto); -+ - /* read from f, write to px[1] -- child stdin */ - /* read from s, signal child */ - /* read from pv[0], write to s -- child stderr */ -@@ -1268,36 +1273,47 @@ - - do { - ready = readfrom; -- if (select(maxfd + 1, &ready, (fd_set *)0, -+ ready_wr = writeto; -+ if (select(maxfd + 1, &ready, &ready_wr, - (fd_set *)0, (struct timeval *)0) < 0) { - if (errno == EINTR) { - continue; - } else { - break; -- } -+ } - } - - if (port&&FD_ISSET(pv[0], &ready)) { -+ FD_SET(s, &writeto); -+ FD_CLR(pv[0], &readfrom); -+ } -+ if (port&&FD_ISSET(s, &ready_wr)) { - /* read from the child stderr, write to the net */ - errno = 0; - cc = read(pv[0], buf, sizeof (buf)); -- if (cc <= 0) { -+ if ((cc <= 0) || -+ (rcmd_stream_write(s, buf, (unsigned) cc, 1) != cc)) { - shutdown(s, 1+1); -- FD_CLR(pv[0], &readfrom); - } else { -- (void) rcmd_stream_write(s, buf, (unsigned) cc, 1); -+ FD_SET(pv[0], &readfrom); - } -+ FD_CLR(s, &writeto); - } - if (FD_ISSET(pw[0], &ready)) { -+ FD_SET(f, &writeto); -+ FD_CLR(pw[0], &readfrom); -+ } -+ if (FD_ISSET(f, &ready_wr)) { - /* read from the child stdout, write to the net */ - errno = 0; - cc = read(pw[0], buf, sizeof (buf)); -- if (cc <= 0) { -+ if ((cc <= 0) || -+ (rcmd_stream_write(f, buf, (unsigned) cc, 0) != cc)) { - shutdown(f, 1+1); -- FD_CLR(pw[0], &readfrom); - } else { -- (void) rcmd_stream_write(f, buf, (unsigned) cc, 0); -+ FD_SET(pw[0], &readfrom); - } -+ FD_CLR(f, &writeto); - } - if (port&&FD_ISSET(s, &ready)) { - /* read from the alternate channel, signal the child */ -@@ -1315,12 +1331,15 @@ - } - } - if (FD_ISSET(f, &ready)) { -+ FD_SET(px[1], &writeto); -+ FD_CLR(f, &readfrom); -+ } -+ if (FD_ISSET(px[1], &ready_wr)) { - /* read from the net, write to child stdin */ - errno = 0; - cc = rcmd_stream_read(f, buf, sizeof(buf), 0); - if (cc <= 0) { - (void) close(px[1]); -- FD_CLR(f, &readfrom); - } else { - int wcc; - wcc = write(px[1], buf, (unsigned) cc); -@@ -1328,17 +1347,22 @@ - /* pipe closed, don't read any more */ - /* might check for EPIPE */ - (void) close(px[1]); -- FD_CLR(f, &readfrom); -- } else if (wcc != cc) { -- syslog(LOG_INFO, "only wrote %d/%d to child", -- wcc, cc); -+ } else { -+ if (wcc != cc) -+ syslog(LOG_INFO, "only wrote %d/%d to child", -+ wcc, cc); -+ FD_SET(f, &readfrom); - } - } -+ FD_CLR(px[1], &writeto); - } - } while ((port&&FD_ISSET(s, &readfrom)) || - FD_ISSET(f, &readfrom) || - (port&&FD_ISSET(pv[0], &readfrom) )|| -- FD_ISSET(pw[0], &readfrom)); -+ FD_ISSET(pw[0], &readfrom) || -+ (port&&FD_ISSET(s, &writeto)) || -+ FD_ISSET(f, &writeto) || -+ FD_ISSET(px[1], &writeto)); - ignore_signals(); - #ifdef KERBEROS - syslog(LOG_INFO , diff --git a/krb5-1.5-kt_default_name.patch b/krb5-1.5-kt_default_name.patch deleted file mode 100644 index 59fb02b..0000000 --- a/krb5-1.5-kt_default_name.patch +++ /dev/null @@ -1,46 +0,0 @@ ---- krb5-1.5/src/kadmin/cli/kadmin.c.kt_default_name 2006-10-18 14:13:18.000000000 -0400 -+++ krb5-1.5/src/kadmin/cli/kadmin.c 2006-10-18 14:13:35.000000000 -0400 -@@ -533,15 +533,6 @@ - exit(1); - } - -- /* register the WRFILE keytab type and set it as the default */ -- { --#define DEFAULT_KEYTAB "WRFILE:/etc/krb5.keytab" -- /* XXX krb5_defkeyname is an internal library global and -- should go away */ -- extern char *krb5_defkeyname; -- krb5_defkeyname = DEFAULT_KEYTAB; -- } -- - return query; - } - ---- krb5-1.5/src/kadmin/cli/keytab.c.kt_default_name 2006-10-18 14:07:36.000000000 -0400 -+++ krb5-1.5/src/kadmin/cli/keytab.c 2006-10-18 14:51:21.000000000 -0400 -@@ -69,15 +69,20 @@ - krb5_keytab *keytab) - { - int code; -+ char filename[FILENAME_MAX]; - - if (*keytab_str == NULL) { -- /* XXX krb5_defkeyname is an internal library global and -- should go away */ -- if (! (*keytab_str = strdup(krb5_defkeyname))) { -- com_err(whoami, ENOMEM, "while creating keytab name"); -+ code = krb5_kt_default_name(my_context, filename, sizeof(filename)); -+ if (code != 0) { -+ com_err(whoami, code, "while determining default keytab name"); -+ return 1; -+ } -+ *keytab_str = strdup(filename); -+ if (*keytab_str == NULL) { -+ com_err(whoami, ENOMEM, "while creating default keytab name"); - return 1; - } -- code = krb5_kt_default(my_context, keytab); -+ code = krb5_kt_resolve(my_context, *keytab_str, keytab); - if (code != 0) { - com_err(whoami, code, "while opening default keytab"); - free(*keytab_str); diff --git a/krb5-1.5.1-1.6-pal.patch b/krb5-1.5.1-1.6-pal.patch deleted file mode 100644 index fbb748d..0000000 --- a/krb5-1.5.1-1.6-pal.patch +++ /dev/null @@ -1,4175 +0,0 @@ -diff -upNr krb5-1.5.1 krb5-1.6 ---- krb5/src/kdc/dispatch.c -+++ krb5/src/kdc/dispatch.c -@@ -94,7 +94,7 @@ dispatch(krb5_data *pkt, const krb5_full - * pointer. - */ - if (!(retval = setup_server_realm(as_req->server))) { -- retval = process_as_req(as_req, from, response); -+ retval = process_as_req(as_req, pkt, from, response); - } - krb5_free_kdc_req(kdc_context, as_req); - } ---- krb5/src/kdc/Makefile.in -+++ krb5/src/kdc/Makefile.in -@@ -13,7 +13,7 @@ PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH - KDB5_LIB_DEPS=$(DL_LIB) $(THREAD_LINKOPTS) - PROG_RPATH=$(KRB5_LIBDIR) - FAKEKA=@FAKEKA@ --DEFS= -+DEFS=-DLIBDIR=\"$(KRB5_LIBDIR)\" - - all:: krb5kdc rtest $(FAKEKA) - ---- krb5/src/kdc/do_as_req.c -+++ krb5/src/kdc/do_as_req.c -@@ -50,8 +50,8 @@ static krb5_error_code prepare_error_as - - /*ARGSUSED*/ - krb5_error_code --process_as_req(krb5_kdc_req *request, const krb5_fulladdr *from, -- krb5_data **response) -+process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, -+ const krb5_fulladdr *from, krb5_data **response) - { - krb5_db_entry client, server; - krb5_kdc_rep reply; -@@ -78,6 +78,7 @@ process_as_req(krb5_kdc_req *request, co - char ktypestr[128]; - char rep_etypestr[128]; - char fromstringbuf[70]; -+ void *pa_context = NULL; - - ticket_reply.enc_part.ciphertext.data = 0; - e_data.data = 0; -@@ -260,7 +261,8 @@ process_as_req(krb5_kdc_req *request, co - * Check the preauthentication if it is there. - */ - if (request->padata) { -- errcode = check_padata(kdc_context, &client, request, &enc_tkt_reply); -+ errcode = check_padata(kdc_context, &client, req_pkt, request, -+ &enc_tkt_reply, &pa_context, &e_data); - if (errcode) { - #ifdef KRBCONF_KDC_MODIFIES_KDB - /* -@@ -381,8 +383,8 @@ process_as_req(krb5_kdc_req *request, co - reply_encpart.caddrs = enc_tkt_reply.caddrs; - - /* Fetch the padata info to be returned */ -- errcode = return_padata(kdc_context, &client, request, &reply, client_key, -- &encrypting_key); -+ errcode = return_padata(kdc_context, &client, req_pkt, request, -+ &reply, client_key, &encrypting_key, &pa_context); - if (errcode) { - status = "KDC_RETURN_PADATA"; - goto errout; -@@ -427,8 +429,11 @@ process_as_req(krb5_kdc_req *request, co - #endif /* KRBCONF_KDC_MODIFIES_KDB */ - - errout: -+ if (pa_context) -+ free_padata_context(kdc_context, &pa_context); -+ - if (status) { -- char * emsg = 0; -+ const char * emsg = 0; - if (errcode) - emsg = krb5_get_error_message (kdc_context, errcode); - ---- krb5/src/kdc/kdc_preauth.c -+++ krb5/src/kdc/kdc_preauth.c -@@ -60,6 +60,13 @@ - #include - - #include -+#include "../include/krb5/preauth_plugin.h" -+ -+#if TARGET_OS_MAC -+static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/preauth", NULL }; /* should be a list */ -+#else -+static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; -+#endif - - /* XXX This is ugly and should be in a header file somewhere */ - #ifndef KRB5INT_DES_TYPES_DEFINED -@@ -72,44 +79,76 @@ extern int mit_des_is_weak_key (mit_des_ - - typedef krb5_error_code (*verify_proc) - (krb5_context, krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, -- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); -+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context, -+ krb5_data **e_data); - - typedef krb5_error_code (*edata_proc) - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, - krb5_pa_data *data); - - typedef krb5_error_code (*return_proc) - (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa); -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context); -+ -+typedef krb5_error_code (*freepa_proc) -+ (krb5_context, void *pa_module_context, void **pa_request_context); -+ -+typedef krb5_error_code (*init_proc) -+ (krb5_context, void **); -+typedef void (*fini_proc) -+ (krb5_context, void *); - - typedef struct _krb5_preauth_systems { -- char * name; -+ const char *name; - int type; - int flags; -+ void *plugin_context; -+ init_proc init; -+ fini_proc fini; - edata_proc get_edata; - verify_proc verify_padata; - return_proc return_padata; -+ freepa_proc free_pa_request_context; - } krb5_preauth_systems; - - static krb5_error_code verify_enc_timestamp - (krb5_context, krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, -- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); -+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context, -+ krb5_data **e_data); - - static krb5_error_code get_etype_info - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, - krb5_pa_data *data); - static krb5_error_code - get_etype_info2(krb5_context context, krb5_kdc_req *request, -- krb5_db_entry *client, krb5_db_entry *server, -- krb5_pa_data *pa_data); -+ krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, -+ krb5_pa_data *pa_data); - static krb5_error_code - etype_info_as_rep_helper(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, -@@ -122,58 +161,76 @@ etype_info_as_rep_helper(krb5_context co - static krb5_error_code - return_etype_info(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa); -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context); - - static krb5_error_code - return_etype_info2(krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa); -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context); - - static krb5_error_code return_pw_salt - (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa); -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context); - - /* SAM preauth support */ - static krb5_error_code verify_sam_response - (krb5_context, krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, -- krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data); -+ krb5_enc_tkt_part * enc_tkt_reply, krb5_pa_data *data, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context, -+ krb5_data **e_data); - - static krb5_error_code get_sam_edata - (krb5_context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, - krb5_pa_data *data); - static krb5_error_code return_sam_data - (krb5_context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa); --/* -- * Preauth property flags -- */ --#define PA_HARDWARE 0x00000001 --#define PA_REQUIRED 0x00000002 --#define PA_SUFFICIENT 0x00000004 -- /* Not really a padata, so don't include it in the etype list*/ --#define PA_PSEUDO 0x00000008 -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context); - --static krb5_preauth_systems preauth_systems[] = { -+static krb5_preauth_systems static_preauth_systems[] = { - { - "timestamp", - KRB5_PADATA_ENC_TIMESTAMP, - 0, -+ NULL, -+ NULL, -+ NULL, - 0, - verify_enc_timestamp, - 0 -@@ -182,6 +239,9 @@ static krb5_preauth_systems preauth_syst - "etype-info", - KRB5_PADATA_ETYPE_INFO, - 0, -+ NULL, -+ NULL, -+ NULL, - get_etype_info, - 0, - return_etype_info -@@ -190,6 +250,9 @@ static krb5_preauth_systems preauth_syst - "etype-info2", - KRB5_PADATA_ETYPE_INFO2, - 0, -+ NULL, -+ NULL, -+ NULL, - get_etype_info2, - 0, - return_etype_info2 -@@ -198,6 +261,9 @@ static krb5_preauth_systems preauth_syst - "pw-salt", - KRB5_PADATA_PW_SALT, - PA_PSEUDO, /* Don't include this in the error list */ -+ NULL, -+ NULL, -+ NULL, - 0, - 0, - return_pw_salt -@@ -206,6 +272,9 @@ static krb5_preauth_systems preauth_syst - "sam-response", - KRB5_PADATA_SAM_RESPONSE, - 0, -+ NULL, -+ NULL, -+ NULL, - 0, - verify_sam_response, - return_sam_data -@@ -214,6 +283,9 @@ static krb5_preauth_systems preauth_syst - "sam-challenge", - KRB5_PADATA_SAM_CHALLENGE, - PA_HARDWARE, /* causes get_preauth_hint_list to use this */ -+ NULL, -+ NULL, -+ NULL, - get_sam_edata, - 0, - 0 -@@ -221,13 +293,378 @@ static krb5_preauth_systems preauth_syst - { "[end]", -1,} - }; - --#define MAX_PREAUTH_SYSTEMS (sizeof(preauth_systems)/sizeof(preauth_systems[0])) -+static krb5_preauth_systems *preauth_systems; -+static int n_preauth_systems; -+static struct plugin_dir_handle preauth_plugins; -+ -+krb5_error_code -+load_preauth_plugins(krb5_context context) -+{ -+ struct errinfo err; -+ void **preauth_plugins_ftables; -+ struct krb5plugin_preauth_server_ftable_v0 *ftable; -+ int module_count, i, j, k; -+ void *plugin_context; -+ init_proc server_init_proc = NULL; -+ -+ memset(&err, 0, sizeof(err)); -+ -+ /* Attempt to load all of the preauth plugins we can find. */ -+ PLUGIN_DIR_INIT(&preauth_plugins); -+ if (PLUGIN_DIR_OPEN(&preauth_plugins) == 0) { -+ if (krb5int_open_plugin_dirs(objdirs, NULL, -+ &preauth_plugins, &err) != 0) { -+ return KRB5_PLUGIN_NO_HANDLE; -+ } -+ } -+ -+ /* Get the method tables provided by the loaded plugins. */ -+ preauth_plugins_ftables = NULL; -+ if (krb5int_get_plugin_dir_data(&preauth_plugins, -+ "preauthentication_server_0_backport_1_6", -+ &preauth_plugins_ftables, &err) != 0) { -+ return KRB5_PLUGIN_NO_HANDLE; -+ } -+ -+ /* Count the valid modules. */ -+ module_count = sizeof(static_preauth_systems) -+ / sizeof(static_preauth_systems[0]); -+ if (preauth_plugins_ftables != NULL) { -+ for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { -+ ftable = preauth_plugins_ftables[i]; -+ if ((ftable->flags_proc == NULL) && -+ (ftable->edata_proc == NULL) && -+ (ftable->verify_proc == NULL) && -+ (ftable->return_proc == NULL)) { -+ continue; -+ } -+ for (j = 0; -+ ftable->pa_type_list != NULL && -+ ftable->pa_type_list[j] > 0; -+ j++) { -+ module_count++; -+ } -+ } -+ } -+ -+ /* Build the complete list of supported preauthentication options, and -+ * leave room for a terminator entry. */ -+ preauth_systems = malloc(sizeof(krb5_preauth_systems) * (module_count + 1)); -+ if (preauth_systems == NULL) { -+ krb5int_free_plugin_dir_data(preauth_plugins_ftables); -+ return ENOMEM; -+ } -+ -+ /* Add the locally-supplied mechanisms to the dynamic list first. */ -+ for (i = 0, k = 0; -+ i < sizeof(static_preauth_systems) / sizeof(static_preauth_systems[0]); -+ i++) { -+ if (static_preauth_systems[i].type == -1) -+ break; -+ preauth_systems[k] = static_preauth_systems[i]; -+ /* Try to initialize the preauth system. If it fails, we'll remove it -+ * from the list of systems we'll be using. */ -+ plugin_context = NULL; -+ server_init_proc = static_preauth_systems[i].init; -+ if ((server_init_proc != NULL) && -+ ((*server_init_proc)(context, &plugin_context) != 0)) { -+ memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); -+ continue; -+ } -+ preauth_systems[k].plugin_context = plugin_context; -+ k++; -+ } -+ -+ /* Now add the dynamically-loaded mechanisms to the list. */ -+ if (preauth_plugins_ftables != NULL) { -+ for (i = 0; preauth_plugins_ftables[i] != NULL; i++) { -+ ftable = preauth_plugins_ftables[i]; -+ if ((ftable->flags_proc == NULL) && -+ (ftable->edata_proc == NULL) && -+ (ftable->verify_proc == NULL) && -+ (ftable->return_proc == NULL)) { -+ continue; -+ } -+ plugin_context = NULL; -+ for (j = 0; -+ ftable->pa_type_list != NULL && -+ ftable->pa_type_list[j] > 0; -+ j++) { -+ /* Try to initialize the plugin. If it fails, we'll remove it -+ * from the list of modules we'll be using. */ -+ if (j == 0) { -+ server_init_proc = ftable->init_proc; -+ if (server_init_proc != NULL) { -+ krb5_error_code initerr; -+ initerr = (*server_init_proc)(context, &plugin_context); -+ if (initerr) { -+ const char *emsg; -+ emsg = krb5_get_error_message(context, initerr); -+ if (emsg) { -+ krb5_klog_syslog(LOG_ERR, -+ "preauth %s failed to initialize: %s", -+ ftable->name, emsg); -+ krb5_free_error_message(context, emsg); -+ } -+ memset(&preauth_systems[k], 0, sizeof(preauth_systems[k])); -+ -+ break; /* skip all modules in this plugin */ -+ } -+ } -+ } -+ preauth_systems[k].name = ftable->name; -+ preauth_systems[k].type = ftable->pa_type_list[j]; -+ if (ftable->flags_proc != NULL) -+ preauth_systems[k].flags = ftable->flags_proc(context, preauth_systems[k].type); -+ else -+ preauth_systems[k].flags = 0; -+ preauth_systems[k].plugin_context = plugin_context; -+ preauth_systems[k].init = server_init_proc; -+ /* Only call fini once for each plugin */ -+ if (j == 0) -+ preauth_systems[k].fini = ftable->fini_proc; -+ else -+ preauth_systems[k].fini = NULL; -+ preauth_systems[k].get_edata = ftable->edata_proc; -+ preauth_systems[k].verify_padata = ftable->verify_proc; -+ preauth_systems[k].return_padata = ftable->return_proc; -+ preauth_systems[k].free_pa_request_context = -+ ftable->freepa_reqcontext_proc; -+ k++; -+ } -+ } -+ krb5int_free_plugin_dir_data(preauth_plugins_ftables); -+ } -+ n_preauth_systems = k; -+ /* Add the end-of-list marker. */ -+ preauth_systems[k].name = "[end]"; -+ preauth_systems[k].type = -1; -+ return 0; -+} -+ -+krb5_error_code -+unload_preauth_plugins(krb5_context context) -+{ -+ int i; -+ if (preauth_systems != NULL) { -+ for (i = 0; i < n_preauth_systems; i++) { -+ if (preauth_systems[i].fini != NULL) { -+ (*preauth_systems[i].fini)(context, -+ preauth_systems[i].plugin_context); -+ } -+ memset(&preauth_systems[i], 0, sizeof(preauth_systems[i])); -+ } -+ free(preauth_systems); -+ preauth_systems = NULL; -+ n_preauth_systems = 0; -+ krb5int_close_plugin_dirs(&preauth_plugins); -+ } -+ return 0; -+} -+ -+/* -+ * The make_padata_context() function creates a space for storing any context -+ * information which will be needed by return_padata() later. Each preauth -+ * type gets a context storage location of its own. -+ */ -+struct request_pa_context { -+ int n_contexts; -+ struct { -+ krb5_preauth_systems *pa_system; -+ void *pa_context; -+ } *contexts; -+}; -+ -+static krb5_error_code -+make_padata_context(krb5_context context, void **padata_context) -+{ -+ int i; -+ struct request_pa_context *ret; -+ -+ ret = malloc(sizeof(*ret)); -+ if (ret == NULL) { -+ return ENOMEM; -+ } -+ -+ ret->n_contexts = n_preauth_systems; -+ ret->contexts = malloc(sizeof(ret->contexts[0]) * ret->n_contexts); -+ if (ret->contexts == NULL) { -+ free(ret); -+ return ENOMEM; -+ } -+ -+ memset(ret->contexts, 0, sizeof(ret->contexts[0]) * ret->n_contexts); -+ -+ for (i = 0; i < ret->n_contexts; i++) { -+ ret->contexts[i].pa_system = &preauth_systems[i]; -+ ret->contexts[i].pa_context = NULL; -+ } -+ -+ *padata_context = ret; -+ -+ return 0; -+} -+ -+/* -+ * The free_padata_context function frees any context information pointers -+ * which the check_padata() function created but which weren't already cleaned -+ * up by return_padata(). -+ */ -+krb5_error_code -+free_padata_context(krb5_context kcontext, void **padata_context) -+{ -+ struct request_pa_context *context; -+ krb5_preauth_systems *preauth_system; -+ void **pctx, *mctx; -+ int i; -+ -+ if (padata_context == NULL) -+ return 0; -+ -+ context = *padata_context; -+ -+ for (i = 0; i < context->n_contexts; i++) { -+ if (context->contexts[i].pa_context != NULL) { -+ preauth_system = context->contexts[i].pa_system; -+ mctx = preauth_system->plugin_context; -+ if (preauth_system->free_pa_request_context != NULL) { -+ pctx = &context->contexts[i].pa_context; -+ (*preauth_system->free_pa_request_context)(kcontext, mctx, -+ pctx); -+ } -+ context->contexts[i].pa_context = NULL; -+ } -+ } -+ -+ free(context->contexts); -+ free(context); -+ -+ return 0; -+} -+ -+/* Retrieve a specified tl_data item from the given entry, and return its -+ * contents in a new krb5_data, which must be freed by the caller. */ -+static krb5_error_code -+get_entry_tl_data(krb5_context context, krb5_db_entry *entry, -+ krb5_int16 tl_data_type, krb5_data **result) -+{ -+ krb5_tl_data *tl; -+ for (tl = entry->tl_data; tl != NULL; tl = tl->tl_data_next) { -+ if (tl->tl_data_type == tl_data_type) { -+ *result = malloc(sizeof(krb5_data)); -+ if (*result == NULL) { -+ return ENOMEM; -+ } -+ (*result)->magic = KV5M_DATA; -+ (*result)->data = malloc(tl->tl_data_length); -+ if ((*result)->data == NULL) { -+ free(*result); -+ *result = NULL; -+ return ENOMEM; -+ } -+ memcpy((*result)->data, tl->tl_data_contents, tl->tl_data_length); -+ return 0; -+ } -+ } -+ return ENOENT; -+} -+ -+/* -+ * Retrieve a specific piece of information pertaining to the entry or the -+ * request and return it in a new krb5_data item which the caller must free. -+ * -+ * This may require massaging data into a contrived format, but it will -+ * hopefully keep us from having to reveal library-internal functions to -+ * modules. -+ */ -+static krb5_error_code -+get_entry_data(krb5_context context, -+ krb5_kdc_req *request, krb5_db_entry *entry, -+ krb5_int32 type, -+ krb5_data **result) -+{ -+ int i, k; -+ krb5_data *ret; -+ krb5_deltat *delta; -+ krb5_keyblock *keys; -+ krb5_key_data *entry_key; -+ -+ switch (type) { -+ case krb5plugin_preauth_entry_request_certificate: -+ return get_entry_tl_data(context, entry, -+ KRB5_TL_USER_CERTIFICATE, result); -+ break; -+ case krb5plugin_preauth_entry_max_time_skew: -+ ret = malloc(sizeof(krb5_data)); -+ if (ret == NULL) -+ return ENOMEM; -+ delta = malloc(sizeof(krb5_deltat)); -+ if (delta == NULL) { -+ free(ret); -+ return ENOMEM; -+ } -+ *delta = context->clockskew; -+ ret->data = (char *) delta; -+ ret->length = sizeof(*delta); -+ *result = ret; -+ return 0; -+ break; -+ case krb5plugin_preauth_keys: -+ ret = malloc(sizeof(krb5_data)); -+ if (ret == NULL) -+ return ENOMEM; -+ keys = malloc(sizeof(krb5_keyblock) * (request->nktypes + 1)); -+ if (keys == NULL) { -+ free(ret); -+ return ENOMEM; -+ } -+ ret->data = (char *) keys; -+ ret->length = sizeof(krb5_keyblock) * (request->nktypes + 1); -+ memset(ret->data, 0, ret->length); -+ k = 0; -+ for (i = 0; i < request->nktypes; i++) { -+ entry_key = NULL; -+ if (krb5_dbe_find_enctype(context, entry, request->ktype[i], -+ -1, 0, &entry_key) != 0) -+ continue; -+ if (krb5_dbekd_decrypt_key_data(context, &master_keyblock, -+ entry_key, &keys[k], NULL) != 0) { -+ if (keys[k].contents != NULL) -+ krb5_free_keyblock_contents(context, &keys[k]); -+ memset(&keys[k], 0, sizeof(keys[k])); -+ continue; -+ } -+ k++; -+ } -+ if (k > 0) { -+ *result = ret; -+ return 0; -+ } else { -+ free(keys); -+ free(ret); -+ } -+ break; -+ case krb5plugin_preauth_request_body: -+ ret = NULL; -+ encode_krb5_kdc_req_body(request, &ret); -+ if (ret != NULL) { -+ *result = ret; -+ return 0; -+ } -+ return ASN1_PARSE_ERROR; -+ break; -+ default: -+ break; -+ } -+ return ENOENT; -+} - - static krb5_error_code - find_pa_system(int type, krb5_preauth_systems **preauth) - { -- krb5_preauth_systems *ap = preauth_systems; -- -+ krb5_preauth_systems *ap; -+ -+ ap = preauth_systems ? preauth_systems : static_preauth_systems; - while ((ap->type != -1) && (ap->type != type)) - ap++; - if (ap->type == -1) -@@ -236,6 +673,113 @@ find_pa_system(int type, krb5_preauth_sy - return 0; - } - -+static krb5_error_code -+find_pa_context(krb5_preauth_systems *pa_sys, -+ struct request_pa_context *context, -+ void ***pa_context) -+{ -+ int i; -+ -+ *pa_context = 0; -+ -+ if (context == NULL) -+ return KRB5KRB_ERR_GENERIC; -+ -+ for (i = 0; i < context->n_contexts; i++) { -+ if (context->contexts[i].pa_system == pa_sys) { -+ *pa_context = &context->contexts[i].pa_context; -+ return 0; -+ } -+ } -+ -+ return KRB5KRB_ERR_GENERIC; -+} -+ -+/* -+ * Create a list of indices into the preauth_systems array, sorted by order of -+ * preference. -+ */ -+static krb5_boolean -+pa_list_includes(krb5_pa_data **pa_data, krb5_preauthtype pa_type) -+{ -+ while (*pa_data != NULL) { -+ if ((*pa_data)->pa_type == pa_type) -+ return TRUE; -+ pa_data++; -+ } -+ return FALSE; -+} -+static void -+sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order) -+{ -+ int i, j, k, n_repliers, n_key_replacers; -+ -+ /* First, set up the default order. */ -+ i = 0; -+ for (j = 0; j < n_preauth_systems; j++) { -+ if (preauth_systems[j].return_padata != NULL) -+ pa_order[i++] = j; -+ } -+ n_repliers = i; -+ pa_order[n_repliers] = -1; -+ -+ /* Reorder so that PA_REPLACES_KEY modules are listed first. */ -+ for (i = 0; i < n_repliers; i++) { -+ /* If this module replaces the key, then it's okay to leave it where it -+ * is in the order. */ -+ if (preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY) -+ continue; -+ /* If not, search for a module which does, and swap in the first one we -+ * find. */ -+ for (j = i + 1; j < n_repliers; j++) { -+ if (preauth_systems[pa_order[j]].flags & PA_REPLACES_KEY) { -+ k = pa_order[j]; -+ pa_order[j] = pa_order[i]; -+ pa_order[i] = k; -+ break; -+ } -+ } -+ } -+ -+ if (request->padata != NULL) { -+ /* Now reorder the subset of modules which replace the key, -+ * bubbling those which handle pa_data types provided by the -+ * client ahead of the others. */ -+ for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { -+ continue; -+ } -+ n_key_replacers = i; -+ for (i = 0; i < n_key_replacers; i++) { -+ if (pa_list_includes(request->padata, -+ preauth_systems[pa_order[i]].type)) -+ continue; -+ for (j = i + 1; j < n_key_replacers; j++) { -+ if (pa_list_includes(request->padata, -+ preauth_systems[pa_order[j]].type)) { -+ k = pa_order[j]; -+ pa_order[j] = pa_order[i]; -+ pa_order[i] = k; -+ break; -+ } -+ } -+ } -+ } -+#ifdef DEBUG -+ krb5_klog_syslog(LOG_DEBUG, "original preauth mechanism list:"); -+ for (i = 0; i < n_preauth_systems; i++) { -+ if (preauth_systems[i].return_padata != NULL) -+ krb5_klog_syslog(LOG_DEBUG, "... %s(%d)", preauth_systems[i].name, -+ preauth_systems[i].type); -+ } -+ krb5_klog_syslog(LOG_DEBUG, "sorted preauth mechanism list:"); -+ for (i = 0; pa_order[i] != -1; i++) { -+ krb5_klog_syslog(LOG_DEBUG, "... %s(%d)", -+ preauth_systems[pa_order[i]].name, -+ preauth_systems[pa_order[i]].type); -+ } -+#endif -+} -+ - const char *missing_required_preauth(krb5_db_entry *client, - krb5_db_entry *server, - krb5_enc_tkt_part *enc_tkt_reply) -@@ -287,10 +831,10 @@ void get_preauth_hint_list(krb5_kdc_req - e_data->data = 0; - - hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); -- pa_data = malloc(sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1)); -+ pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+1)); - if (pa_data == 0) - return; -- memset(pa_data, 0, sizeof(krb5_pa_data *) * (MAX_PREAUTH_SYSTEMS+1)); -+ memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); - pa = pa_data; - - for (ap = preauth_systems; ap->type != -1; ap++) { -@@ -305,7 +849,8 @@ void get_preauth_hint_list(krb5_kdc_req - (*pa)->magic = KV5M_PA_DATA; - (*pa)->pa_type = ap->type; - if (ap->get_edata) { -- retval = (ap->get_edata)(kdc_context, request, client, server, *pa); -+ retval = (ap->get_edata)(kdc_context, request, client, server, -+ get_entry_data, ap->plugin_context, *pa); - if (retval) { - /* just failed on this type, continue */ - free(*pa); -@@ -335,23 +880,33 @@ errout: - /* - * This routine is called to verify the preauthentication information - * for a V5 request. -- * -+ * - * Returns 0 if the pre-authentication is valid, non-zero to indicate - * an error code of some sort. - */ - - krb5_error_code --check_padata (krb5_context context, krb5_db_entry *client, -- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply) -+check_padata (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, -+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, -+ void **padata_context, krb5_data *e_data) - { - krb5_error_code retval = 0; - krb5_pa_data **padata; - krb5_preauth_systems *pa_sys; -- int pa_ok = 0, pa_found = 0; -+ void **pa_context; -+ krb5_data *pa_e_data = NULL, *tmp_e_data = NULL; -+ int pa_ok = 0, pa_found = 0; -+ krb5_error_code saved_retval = 0; -+ int use_saved_retval = 0; -+ const char *emsg; - - if (request->padata == 0) - return 0; - -+ if (make_padata_context(context, padata_context) != 0) { -+ return KRB5KRB_ERR_GENERIC; -+ } -+ - #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, "checking padata"); - #endif -@@ -361,52 +916,128 @@ check_padata (krb5_context context, krb5 - #endif - if (find_pa_system((*padata)->pa_type, &pa_sys)) - continue; -+ if (find_pa_context(pa_sys, *padata_context, &pa_context)) -+ continue; - #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, ".. pa_type %s", pa_sys->name); - #endif - if (pa_sys->verify_padata == 0) - continue; - pa_found++; -- retval = pa_sys->verify_padata(context, client, request, -- enc_tkt_reply, *padata); -+ retval = pa_sys->verify_padata(context, client, req_pkt, request, -+ enc_tkt_reply, *padata, -+ get_entry_data, pa_sys->plugin_context, -+ pa_context, &tmp_e_data); - if (retval) { -- char * emsg = krb5_get_error_message (context, retval); -+ emsg = krb5_get_error_message (context, retval); - krb5_klog_syslog (LOG_INFO, "preauth (%s) verify failure: %s", - pa_sys->name, emsg); - krb5_free_error_message (context, emsg); - if (pa_sys->flags & PA_REQUIRED) { -+ /* free up any previous edata we might have been saving */ -+ if (pa_e_data != NULL) -+ krb5_free_data(context, pa_e_data); -+ pa_e_data = tmp_e_data; -+ tmp_e_data = NULL; -+ use_saved_retval = 0; /* Make sure we use the current retval */ - pa_ok = 0; - break; - } -+ /* -+ * We'll return edata from either the first PA_REQUIRED module -+ * that fails, or the first non-PA_REQUIRED module that fails. -+ * Hang on to edata from the first non-PA_REQUIRED module. -+ * If we've already got one saved, simply discard this one. -+ */ -+ if (tmp_e_data != NULL) { -+ if (pa_e_data == NULL) { -+ /* save the first error code and e-data */ -+ pa_e_data = tmp_e_data; -+ tmp_e_data = NULL; -+ saved_retval = retval; -+ use_saved_retval = 1; -+ } else { -+ /* discard this extra e-data from non-PA_REQUIRED module */ -+ krb5_free_data(context, tmp_e_data); -+ tmp_e_data = NULL; -+ } -+ } - } else { - #ifdef DEBUG - krb5_klog_syslog (LOG_DEBUG, ".. .. ok"); - #endif -+ /* Ignore any edata returned on success */ -+ if (tmp_e_data != NULL) { -+ krb5_free_data(context, tmp_e_data); -+ tmp_e_data = NULL; -+ } - pa_ok = 1; -- if (pa_sys->flags & PA_SUFFICIENT) -+ if (pa_sys->flags & PA_SUFFICIENT) - break; - } - } -+ -+ /* Don't bother copying and returning e-data on success */ -+ if (pa_ok && pa_e_data != NULL) { -+ krb5_free_data(context, pa_e_data); -+ pa_e_data = NULL; -+ } -+ /* Return any e-data from the preauth that caused us to exit the loop */ -+ if (pa_e_data != NULL) { -+ e_data->data = malloc(pa_e_data->length); -+ if (e_data->data == NULL) { -+ krb5_free_data(context, pa_e_data); -+ return KRB5KRB_ERR_GENERIC; -+ } -+ memcpy(e_data->data, pa_e_data->data, pa_e_data->length); -+ e_data->length = pa_e_data->length; -+ krb5_free_data(context, pa_e_data); -+ pa_e_data = NULL; -+ if (use_saved_retval != 0) -+ retval = saved_retval; -+ } -+ - if (pa_ok) - return 0; - - /* pa system was not found, but principal doesn't require preauth */ - if (!pa_found && -- !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && -- !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) -+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && -+ !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) - return 0; - - if (!pa_found) { -- char *emsg = krb5_get_error_message(context, retval); -+ emsg = krb5_get_error_message(context, retval); - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); - krb5_free_error_message(context, emsg); - } --/* The following switch statement allows us -- * to return some preauth system errors back to the client. -- */ -- switch(retval) { -- case KRB5KRB_AP_ERR_BAD_INTEGRITY: -+ /* The following switch statement allows us -+ * to return some preauth system errors back to the client. -+ */ -+ switch(retval) { -+ case KRB5KRB_AP_ERR_BAD_INTEGRITY: - case KRB5KRB_AP_ERR_SKEW: -+ case KRB5KDC_ERR_ETYPE_NOSUPP: -+ /* rfc 4556 */ -+ case KRB5KDC_ERR_CLIENT_NOT_TRUSTED: -+ case KRB5KDC_ERR_INVALID_SIG: -+ case KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED: -+ case KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE: -+ case KRB5KDC_ERR_INVALID_CERTIFICATE: -+ case KRB5KDC_ERR_REVOKED_CERTIFICATE: -+ case KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN: -+ case KRB5KDC_ERR_CLIENT_NAME_MISMATCH: -+ case KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE: -+ case KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED: -+ case KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED: -+ case KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED: -+ case KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED: -+ /* earlier drafts of what became rfc 4556 */ -+ case KRB5KDC_ERR_CERTIFICATE_MISMATCH: -+ case KRB5KDC_ERR_KDC_NOT_TRUSTED: -+ case KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE: -+ /* This value is shared with KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED. */ -+ /* case KRB5KDC_ERR_KEY_TOO_WEAK: */ - return retval; - default: - return KRB5KDC_ERR_PREAUTH_FAILED; -@@ -418,9 +1049,10 @@ check_padata (krb5_context context, krb5 - * structures which should be returned by the KDC to the client - */ - krb5_error_code --return_padata(krb5_context context, krb5_db_entry *client, -+return_padata(krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, -- krb5_key_data *client_key, krb5_keyblock *encrypting_key) -+ krb5_key_data *client_key, krb5_keyblock *encrypting_key, -+ void **padata_context) - { - krb5_error_code retval; - krb5_pa_data ** padata; -@@ -428,7 +1060,15 @@ return_padata(krb5_context context, krb5 - krb5_pa_data ** send_pa; - krb5_pa_data * pa = 0; - krb5_preauth_systems * ap; -+ int * pa_order; -+ int * pa_type; - int size = 0; -+ void ** pa_context; -+ krb5_boolean key_modified; -+ krb5_keyblock original_key; -+ if ((!*padata_context)&& (make_padata_context(context, padata_context) != 0)) { -+ return KRB5KRB_ERR_GENERIC; -+ } - - for (ap = preauth_systems; ap->type != -1; ap++) { - if (ap->return_padata) -@@ -437,13 +1077,42 @@ return_padata(krb5_context context, krb5 - - if ((send_pa_list = malloc((size+1) * sizeof(krb5_pa_data *))) == NULL) - return ENOMEM; -+ if ((pa_order = malloc((size+1) * sizeof(int))) == NULL) { -+ free(send_pa_list); -+ return ENOMEM; -+ } -+ sort_pa_order(context, request, pa_order); -+ -+ retval = krb5_copy_keyblock_contents(context, encrypting_key, -+ &original_key); -+ if (retval) { -+ free(send_pa_list); -+ free(pa_order); -+ return retval; -+ } -+ key_modified = FALSE; - - send_pa = send_pa_list; - *send_pa = 0; -- -- for (ap = preauth_systems; ap->type != -1; ap++) { -+ -+ for (pa_type = pa_order; *pa_type != -1; pa_type++) { -+ ap = &preauth_systems[*pa_type]; -+ if (!key_modified) -+ if (original_key.enctype != encrypting_key->enctype) -+ key_modified = TRUE; -+ if (!key_modified) -+ if (original_key.length != encrypting_key->length) -+ key_modified = TRUE; -+ if (!key_modified) -+ if (memcmp(original_key.contents, encrypting_key->contents, -+ original_key.length) != 0) -+ key_modified = TRUE; -+ if (key_modified && (ap->flags & PA_REPLACES_KEY)) -+ continue; - if (ap->return_padata == 0) - continue; -+ if (find_pa_context(ap, *padata_context, &pa_context)) -+ continue; - pa = 0; - if (request->padata) { - for (padata = request->padata; *padata; padata++) { -@@ -453,9 +1122,12 @@ return_padata(krb5_context context, krb5 - } - } - } -- if ((retval = ap->return_padata(context, pa, client, request, reply, -- client_key, encrypting_key, send_pa))) -+ if ((retval = ap->return_padata(context, pa, client, req_pkt, request, reply, -+ client_key, encrypting_key, send_pa, -+ get_entry_data, ap->plugin_context, -+ pa_context))) { - goto cleanup; -+ } - - if (*send_pa) - send_pa++; -@@ -470,6 +1142,8 @@ return_padata(krb5_context context, krb5 - } - - cleanup: -+ krb5_free_keyblock_contents(context, &original_key); -+ free(pa_order); - if (send_pa_list) - krb5_free_pa_data(context, send_pa_list); - return (retval); -@@ -508,8 +1182,13 @@ request_contains_enctype (krb5_context c - - static krb5_error_code - verify_enc_timestamp(krb5_context context, krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, -- krb5_pa_data *pa) -+ krb5_pa_data *pa, -+ preauth_get_entry_data_proc ets_get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context, -+ krb5_data **e_data) - { - krb5_pa_enc_ts * pa_enc = 0; - krb5_error_code retval; -@@ -749,6 +1428,8 @@ cleanup: - static krb5_error_code - get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc etype_get_entry_data, -+ void *pa_system_context, - krb5_pa_data *pa_data) - { - int i; -@@ -764,6 +1445,8 @@ get_etype_info(krb5_context context, krb - static krb5_error_code - get_etype_info2(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -+ preauth_get_entry_data_proc etype_get_entry_data, -+ void *pa_system_context, - krb5_pa_data *pa_data) - { - return etype_info_helper( context, request, client, server, pa_data, 1); -@@ -849,10 +1532,14 @@ etype_info_as_rep_helper(krb5_context co - static krb5_error_code - return_etype_info2(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa) -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc etype_get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context) - { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 1); -@@ -862,10 +1549,14 @@ return_etype_info2(krb5_context context, - static krb5_error_code - return_etype_info(krb5_context context, krb5_pa_data * padata, - krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, -- krb5_pa_data **send_pa) -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc etypeget_entry_data, -+ void *pa_system_context, -+ void **pa_request_context) - { - return etype_info_as_rep_helper(context, padata, client, request, reply, - client_key, encrypting_key, send_pa, 0); -@@ -873,9 +1564,12 @@ return_etype_info(krb5_context context, - - static krb5_error_code - return_pw_salt(krb5_context context, krb5_pa_data *in_padata, -- krb5_db_entry *client, krb5_kdc_req *request, -+ krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, -- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa) -+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc etype_get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context) - { - krb5_error_code retval; - krb5_pa_data * padata; -@@ -960,9 +1654,12 @@ cleanup: - - static krb5_error_code - return_sam_data(krb5_context context, krb5_pa_data *in_padata, -- krb5_db_entry *client, krb5_kdc_req *request, -+ krb5_db_entry *client, krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_key_data *client_key, -- krb5_keyblock *encrypting_key, krb5_pa_data **send_pa) -+ krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc sam_get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context) - { - krb5_error_code retval; - krb5_data scratch; -@@ -1101,7 +1798,8 @@ static struct { - static krb5_error_code - get_sam_edata(krb5_context context, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, -- krb5_pa_data *pa_data) -+ preauth_get_entry_data_proc sam_get_entry_data, -+ void *pa_system_context, krb5_pa_data *pa_data) - { - krb5_error_code retval; - krb5_sam_challenge sc; -@@ -1472,8 +2170,13 @@ cleanup: - - static krb5_error_code - verify_sam_response(krb5_context context, krb5_db_entry *client, -+ krb5_data *req_pkt, - krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, -- krb5_pa_data *pa) -+ krb5_pa_data *pa, -+ preauth_get_entry_data_proc sam_get_entry_data, -+ void *pa_system_context, -+ void **pa_request_context, -+ krb5_data **e_data) - { - krb5_error_code retval; - krb5_data scratch; ---- krb5/src/kdc/main.c -+++ krb5/src/kdc/main.c -@@ -382,10 +382,13 @@ setup_signal_handlers(void) - (void) sigaction(SIGTERM, &s_action, (struct sigaction *) NULL); - s_action.sa_handler = request_hup; - (void) sigaction(SIGHUP, &s_action, (struct sigaction *) NULL); -+ s_action.sa_handler = SIG_IGN; -+ (void) sigaction(SIGPIPE, &s_action, (struct sigaction *) NULL); - #else /* POSIX_SIGNALS */ - signal(SIGINT, request_exit); - signal(SIGTERM, request_exit); - signal(SIGHUP, request_hup); -+ signal(SIGPIPE, SIG_IGN); - #endif /* POSIX_SIGNALS */ - - return; -@@ -711,6 +714,8 @@ int main(int argc, char **argv) - - setup_signal_handlers(); - -+ load_preauth_plugins(kcontext); -+ - retval = setup_sam(); - if (retval) { - com_err(argv[0], retval, "while initializing SAM"); -@@ -738,6 +743,7 @@ int main(int argc, char **argv) - errout++; - } - krb5_klog_syslog(LOG_INFO, "shutting down"); -+ unload_preauth_plugins(kcontext); - krb5_klog_close(kdc_context); - finish_realms(argv[0]); - if (kdc_realmlist) ---- krb5/src/kdc/kdc_util.h -+++ krb5/src/kdc/kdc_util.h -@@ -107,7 +107,7 @@ void - rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep); - - /* do_as_req.c */ --krb5_error_code process_as_req (krb5_kdc_req *, -+krb5_error_code process_as_req (krb5_kdc_req *, krb5_data *, - const krb5_fulladdr *, - krb5_data ** ); - -@@ -146,15 +146,23 @@ void get_preauth_hint_list (krb5_kdc_req - krb5_db_entry *client, - krb5_db_entry *server, - krb5_data *e_data); -+krb5_error_code load_preauth_plugins(krb5_context context); -+krb5_error_code unload_preauth_plugins(krb5_context context); -+ - krb5_error_code check_padata -- (krb5_context context, krb5_db_entry *client, -- krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply); -+ (krb5_context context, krb5_db_entry *client, krb5_data *req_pkt, -+ krb5_kdc_req *request, krb5_enc_tkt_part *enc_tkt_reply, -+ void **padata_context, krb5_data *e_data); - - krb5_error_code return_padata - (krb5_context context, krb5_db_entry *client, -- krb5_kdc_req *request, krb5_kdc_rep *reply, -- krb5_key_data *client_key, krb5_keyblock *encrypting_key); -+ krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, -+ krb5_key_data *client_key, krb5_keyblock *encrypting_key, -+ void **padata_context); - -+krb5_error_code free_padata_context -+ (krb5_context context, void **padata_context); -+ - /* replay.c */ - krb5_boolean kdc_check_lookaside (krb5_data *, krb5_data **); - void kdc_insert_lookaside (krb5_data *, krb5_data *); -@@ -191,4 +199,8 @@ void enable_v4_crossrealm(char *); - ((X) == ADDRTYPE_INET ? AF_INET : -1) - #endif - -+/* RFC 4120: KRB5KDC_ERR_KEY_TOO_WEAK -+ * RFC 4556: KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED */ -+#define KRB5KDC_ERR_KEY_TOO_WEAK KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED -+ - #endif /* __KRB5_KDC_UTIL__ */ ---- krb5/src/lib/krb5/os/init_os_ctx.c -+++ krb5/src/lib/krb5/os/init_os_ctx.c -@@ -391,6 +391,8 @@ krb5_os_init_context(krb5_context ctx, k - - ctx->vtbl = 0; - PLUGIN_DIR_INIT(&ctx->libkrb5_plugins); -+ PLUGIN_DIR_INIT(&ctx->preauth_plugins); -+ ctx->preauth_context = NULL; - - retval = os_init_paths(ctx, kdc); - /* -@@ -492,6 +494,11 @@ krb5_os_free_context(krb5_context ctx) - ctx->profile = 0; - } - -+ if (ctx->preauth_context) { -+ krb5_free_preauth_context(ctx); -+ ctx->preauth_context = NULL; -+ } -+ krb5int_close_plugin_dirs (&ctx->preauth_plugins); - krb5int_close_plugin_dirs (&ctx->libkrb5_plugins); - - #ifdef _WIN32 ---- krb5/src/lib/krb5/krb/init_ctx.c -+++ krb5/src/lib/krb5/krb/init_ctx.c -@@ -97,7 +97,7 @@ krb5_init_secure_context(krb5_context *c - return init_common (context, TRUE, FALSE); - } - --krb5_error_code KRB5_CALLCONV -+krb5_error_code - krb5int_init_context_kdc(krb5_context *context) - { - return init_common (context, FALSE, TRUE); -@@ -272,6 +272,8 @@ krb5_free_context(krb5_context ctx) - ctx->ser_ctx = 0; - } - -+ krb5_clear_error_message(ctx); -+ - ctx->magic = 0; - free(ctx); - } -@@ -534,6 +536,9 @@ krb5_copy_context(krb5_context ctx, krb5 - nctx->prompt_types = NULL; - nctx->os_context->default_ccname = NULL; - -+ memset(&nctx->preauth_plugins, 0, sizeof(nctx->preauth_plugins)); -+ nctx->preauth_context = NULL; -+ - memset(&nctx->libkrb5_plugins, 0, sizeof(nctx->libkrb5_plugins)); - nctx->vtbl = NULL; - nctx->locate_fptrs = NULL; ---- krb5/src/lib/krb5/krb/preauth2.c 2005-01-17 12:32:26.000000000 -0500 -+++ krb5/src/lib/krb5/krb/preauth2.c -@@ -30,6 +30,18 @@ - */ - - #include "k5-int.h" -+#include "osconf.h" -+#include -+ -+#if !defined(_WIN32) -+#include -+#endif -+ -+#if TARGET_OS_MAC -+static const char *objdirs[] = { KRB5_PLUGIN_BUNDLE_DIR, LIBDIR "/krb5/plugins/preauth", NULL }; /* should be a list */ -+#else -+static const char *objdirs[] = { LIBDIR "/krb5/plugins/preauth", NULL }; -+#endif - - typedef krb5_error_code (*pa_function)(krb5_context, - krb5_kdc_req *request, -@@ -49,8 +61,458 @@ typedef struct _pa_types_t { - int flags; - } pa_types_t; - --#define PA_REAL 0x0001 --#define PA_INFO 0x0002 -+/* Create the per-krb5_context context. This means loading the modules -+ * if we haven't done that yet (applications which never obtain initial -+ * credentials should never hit this routine), breaking up the module's -+ * list of support pa_types so that we can iterate over the modules more -+ * easily, and copying over the relevant parts of the module's table. */ -+void KRB5_CALLCONV -+krb5_init_preauth_context(krb5_context kcontext) -+{ -+ int n_modules, n_tables, i, j, k; -+ void **tables; -+ struct krb5plugin_preauth_client_ftable_v0 *table; -+ krb5_preauth_context *context = NULL; -+ void *plugin_context; -+ krb5_preauthtype pa_type; -+ void **rcpp; -+ -+ /* Only do this once for each krb5_context */ -+ if (kcontext->preauth_context != NULL) -+ return; -+ -+ /* load the plugins for the current context */ -+ if (PLUGIN_DIR_OPEN(&kcontext->preauth_plugins) == 0) { -+ if (krb5int_open_plugin_dirs(objdirs, NULL, -+ &kcontext->preauth_plugins, -+ &kcontext->err) != 0) { -+ return; -+ } -+ } -+ -+ /* pull out the module function tables for all of the modules */ -+ tables = NULL; -+ if (krb5int_get_plugin_dir_data(&kcontext->preauth_plugins, -+ "preauthentication_client_0_backport_1_6", -+ &tables, -+ &kcontext->err) != 0) { -+ return; -+ } -+ if (tables == NULL) { -+ return; -+ } -+ -+ /* count how many modules we ended up loading, and how many preauth -+ * types we may claim to support as a result */ -+ n_modules = 0; -+ for (n_tables = 0; -+ (tables != NULL) && (tables[n_tables] != NULL); -+ n_tables++) { -+ table = tables[n_tables]; -+ if ((table->pa_type_list != NULL) && (table->process != NULL)) { -+ for (j = 0; table->pa_type_list[j] > 0; j++) { -+ n_modules++; -+ } -+ } -+ } -+ -+ /* allocate the space we need */ -+ context = malloc(sizeof(*context)); -+ if (context == NULL) { -+ krb5int_free_plugin_dir_data(tables); -+ return; -+ } -+ context->modules = malloc(sizeof(context->modules[0]) * n_modules); -+ if (context->modules == NULL) { -+ krb5int_free_plugin_dir_data(tables); -+ free(context); -+ return; -+ } -+ memset(context->modules, 0, sizeof(context->modules[0]) * n_modules); -+ context->n_modules = n_modules; -+ -+ /* fill in the structure */ -+ k = 0; -+ for (i = 0; i < n_tables; i++) { -+ table = tables[i]; -+ if ((table->pa_type_list != NULL) && (table->process != NULL)) { -+ plugin_context = NULL; -+ if ((table->init != NULL) && -+ ((*table->init)(kcontext, &plugin_context) != 0)) { -+#ifdef DEBUG -+ fprintf (stderr, "init err, skipping module \"%s\"\n", -+ table->name); -+#endif -+ continue; -+ } -+ -+ rcpp = NULL; -+ for (j = 0; table->pa_type_list[j] > 0; j++) { -+ pa_type = table->pa_type_list[j]; -+ context->modules[k].pa_type = pa_type; -+ context->modules[k].enctypes = table->enctype_list; -+ context->modules[k].plugin_context = plugin_context; -+ /* Only call client_fini once per plugin */ -+ if (j == 0) -+ context->modules[k].client_fini = table->fini; -+ else -+ context->modules[k].client_fini = NULL; -+ context->modules[k].ftable = table; -+ context->modules[k].name = table->name; -+ context->modules[k].flags = (*table->flags)(kcontext, pa_type); -+ context->modules[k].use_count = 0; -+ context->modules[k].client_process = table->process; -+ context->modules[k].client_tryagain = table->tryagain; -+ context->modules[k].request_context = NULL; -+ /* -+ * Only call request_init and request_fini once per plugin. -+ * Only the first module within each plugin will ever -+ * have request_context filled in. Every module within -+ * the plugin will have its request_context_pp pointing -+ * to that entry's request_context. That way all the -+ * modules within the plugin share the same request_context -+ */ -+ if (j == 0) { -+ context->modules[k].client_req_init = table->request_init; -+ context->modules[k].client_req_fini = table->request_fini; -+ rcpp = &context->modules[k].request_context; -+ } else { -+ context->modules[k].client_req_init = NULL; -+ context->modules[k].client_req_fini = NULL; -+ } -+ context->modules[k].request_context_pp = rcpp; -+#ifdef DEBUG -+ fprintf (stderr, "init module \"%s\", pa_type %d, flag %d\n", -+ context->modules[k].name, -+ context->modules[k].pa_type, -+ context->modules[k].flags); -+#endif -+ k++; -+ } -+ } -+ } -+ krb5int_free_plugin_dir_data(tables); -+ -+ /* return the result */ -+ kcontext->preauth_context = context; -+} -+ -+/* Zero the use counts for the modules herein. Usually used before we -+ * start processing any data from the server, at which point every module -+ * will again be able to take a crack at whatever the server sent. */ -+void KRB5_CALLCONV -+krb5_clear_preauth_context_use_counts(krb5_context context) -+{ -+ int i; -+ if (context->preauth_context != NULL) { -+ for (i = 0; i < context->preauth_context->n_modules; i++) { -+ context->preauth_context->modules[i].use_count = 0; -+ } -+ } -+} -+ -+/* Free the per-krb5_context preauth_context. This means clearing any -+ * plugin-specific context which may have been created, and then -+ * freeing the context itself. */ -+void KRB5_CALLCONV -+krb5_free_preauth_context(krb5_context context) -+{ -+ int i; -+ void *pctx; -+ if (context->preauth_context != NULL) { -+ for (i = 0; i < context->preauth_context->n_modules; i++) { -+ pctx = context->preauth_context->modules[i].plugin_context; -+ if (context->preauth_context->modules[i].client_fini != NULL) { -+ (*context->preauth_context->modules[i].client_fini)(context, pctx); -+ } -+ memset(&context->preauth_context->modules[i], 0, -+ sizeof(context->preauth_context->modules[i])); -+ } -+ if (context->preauth_context->modules != NULL) { -+ free(context->preauth_context->modules); -+ context->preauth_context->modules = NULL; -+ } -+ free(context->preauth_context); -+ context->preauth_context = NULL; -+ } -+} -+ -+/* Initialize the per-AS-REQ context. This means calling the client_req_init -+ * function to give the plugin a chance to allocate a per-request context. */ -+void KRB5_CALLCONV -+krb5_preauth_request_context_init(krb5_context context) -+{ -+ int i; -+ void *rctx, *pctx; -+ -+ /* Limit this to only one attempt per context? */ -+ if (context->preauth_context == NULL) -+ krb5_init_preauth_context(context); -+ if (context->preauth_context != NULL) { -+ for (i = 0; i < context->preauth_context->n_modules; i++) { -+ pctx = context->preauth_context->modules[i].plugin_context; -+ if (context->preauth_context->modules[i].client_req_init != NULL) { -+ rctx = context->preauth_context->modules[i].request_context_pp; -+ (*context->preauth_context->modules[i].client_req_init) (context, pctx, rctx); -+ } -+ } -+ } -+} -+ -+/* Free the per-AS-REQ context. This means clearing any request-specific -+ * context which the plugin may have created. */ -+void KRB5_CALLCONV -+krb5_preauth_request_context_fini(krb5_context context) -+{ -+ int i; -+ void *rctx, *pctx; -+ if (context->preauth_context != NULL) { -+ for (i = 0; i < context->preauth_context->n_modules; i++) { -+ pctx = context->preauth_context->modules[i].plugin_context; -+ rctx = context->preauth_context->modules[i].request_context; -+ if (rctx != NULL) { -+ if (context->preauth_context->modules[i].client_req_fini != NULL) { -+ (*context->preauth_context->modules[i].client_req_fini)(context, pctx, rctx); -+ } -+ context->preauth_context->modules[i].request_context = NULL; -+ } -+ } -+ } -+} -+ -+/* Add the named encryption type to the existing list of ktypes. */ -+static void -+grow_ktypes(krb5_enctype **out_ktypes, int *out_nktypes, krb5_enctype ktype) -+{ -+ int i; -+ krb5_enctype *ktypes; -+ for (i = 0; i < *out_nktypes; i++) { -+ if ((*out_ktypes)[i] == ktype) -+ return; -+ } -+ ktypes = malloc((*out_nktypes + 2) * sizeof(ktype)); -+ if (ktypes) { -+ for (i = 0; i < *out_nktypes; i++) -+ ktypes[i] = (*out_ktypes)[i]; -+ ktypes[i++] = ktype; -+ ktypes[i] = 0; -+ free(*out_ktypes); -+ *out_ktypes = ktypes; -+ *out_nktypes = i; -+ } -+} -+ -+/* Add the given pa_data item to the list of items. Factored out here to make -+ * reading the do_preauth logic easier to read. */ -+static int -+grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, -+ krb5_pa_data *addition) -+{ -+ krb5_pa_data **pa_list; -+ int i; -+ -+ if (out_pa_list == NULL) { -+ return EINVAL; -+ } -+ -+ if (*out_pa_list == NULL) { -+ /* Allocate room for one entry and a NULL terminator. */ -+ pa_list = malloc(2 * sizeof(krb5_pa_data *)); -+ if (pa_list == NULL) -+ return ENOMEM; -+ pa_list[0] = addition; -+ pa_list[1] = NULL; -+ *out_pa_list = pa_list; -+ *out_pa_list_size = 1; -+ } else { -+ /* Allocate room for one more entry and a NULL terminator. */ -+ pa_list = malloc((*out_pa_list_size + 2) * sizeof(krb5_pa_data *)); -+ if (pa_list == NULL) -+ return ENOMEM; -+ for (i = 0; i < *out_pa_list_size; i++) -+ pa_list[i] = (*out_pa_list)[i]; -+ pa_list[i++] = addition; -+ pa_list[i++] = NULL; -+ free(*out_pa_list); -+ *out_pa_list = pa_list; -+ *out_pa_list_size = i; -+ } -+ return 0; -+} -+ -+/* -+ * Retrieve a specific piece of information required by the plugin and -+ * return it in a new krb5_data item. There are separate request_types -+ * to obtain the data and free it. -+ * -+ * This may require massaging data into a contrived format, but it will -+ * hopefully keep us from having to reveal library-internal functions -+ * or data to the plugin modules. -+ */ -+ -+static krb5_error_code -+client_data_proc(krb5_context kcontext, -+ krb5_preauth_client_rock *rock, -+ krb5_int32 request_type, -+ krb5_data **retdata) -+{ -+ krb5_data *ret; -+ char *data; -+ -+ if (rock->magic != CLIENT_ROCK_MAGIC) -+ return EINVAL; -+ if (retdata == NULL) -+ return EINVAL; -+ -+ switch (request_type) { -+ case krb5plugin_preauth_client_get_etype: -+ { -+ krb5_enctype *eptr; -+ if (rock->as_reply == NULL) -+ return ENOENT; -+ ret = malloc(sizeof(krb5_data)); -+ if (ret == NULL) -+ return ENOMEM; -+ data = malloc(sizeof(krb5_enctype)); -+ if (data == NULL) { -+ free(ret); -+ return ENOMEM; -+ } -+ ret->data = data; -+ ret->length = sizeof(krb5_enctype); -+ eptr = (krb5_enctype *)data; -+ *eptr = rock->as_reply->enc_part.enctype; -+ *retdata = ret; -+ return 0; -+ } -+ break; -+ case krb5plugin_preauth_client_free_etype: -+ ret = *retdata; -+ if (ret == NULL) -+ return 0; -+ if (ret->data) -+ free(ret->data); -+ free(ret); -+ return 0; -+ break; -+ default: -+ return EINVAL; -+ } -+} -+ -+/* Tweak the request body, for now adding any enctypes which the module claims -+ * to add support for to the list, but in the future perhaps doing more -+ * involved things. */ -+void KRB5_CALLCONV -+krb5_preauth_prepare_request(krb5_context kcontext, -+ krb5_get_init_creds_opt *options, -+ krb5_kdc_req *request) -+{ -+ int i, j; -+ -+ if (kcontext->preauth_context == NULL) { -+ return; -+ } -+ /* Add the module-specific enctype list to the request, but only if -+ * it's something we can safely modify. */ -+ if (!(options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST))) { -+ for (i = 0; i < kcontext->preauth_context->n_modules; i++) { -+ if (kcontext->preauth_context->modules[i].enctypes == NULL) -+ continue; -+ for (j = 0; kcontext->preauth_context->modules[i].enctypes[j] != 0; j++) { -+ grow_ktypes(&request->ktype, &request->nktypes, -+ kcontext->preauth_context->modules[i].enctypes[j]); -+ } -+ } -+ } -+} -+ -+/* Find the first module which provides for the named preauth type which also -+ * hasn't had a chance to run yet (INFO modules don't count, because as a rule -+ * they don't generate preauth data), and run it. */ -+static krb5_error_code -+krb5_run_preauth_plugins(krb5_context kcontext, -+ int module_required_flags, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *in_padata, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ krb5_data *salt, -+ krb5_data *s2kparams, -+ void *gak_data, -+ krb5_preauth_client_rock *get_data_rock, -+ krb5_keyblock *as_key, -+ krb5_pa_data ***out_pa_list, -+ int *out_pa_list_size, -+ int *module_ret, -+ int *module_flags) -+{ -+ int i; -+ krb5_pa_data *out_pa_data; -+ krb5_error_code ret; -+ struct _krb5_preauth_context_module *module; -+ -+ if (kcontext->preauth_context == NULL) { -+ return ENOENT; -+ } -+ /* iterate over all loaded modules */ -+ for (i = 0; i < kcontext->preauth_context->n_modules; i++) { -+ module = &kcontext->preauth_context->modules[i]; -+ /* skip over those which don't match the preauth type */ -+ if (module->pa_type != in_padata->pa_type) -+ continue; -+ /* skip over those which don't match the flags (INFO vs REAL, mainly) */ -+ if ((module->flags & module_required_flags) == 0) -+ continue; -+ /* if it's a REAL module, try to call it only once per library call */ -+ if (module_required_flags & PA_REAL) { -+ if (module->use_count > 0) { -+#ifdef DEBUG -+ fprintf(stderr, "skipping already-used module \"%s\"(%d)\n", -+ module->name, module->pa_type); -+#endif -+ continue; -+ } -+ module->use_count++; -+ } -+ /* run the module's callback function */ -+ out_pa_data = NULL; -+#ifdef DEBUG -+ fprintf(stderr, "using module \"%s\" (%d), flags = %d\n", -+ module->name, module->pa_type, module->flags); -+#endif -+ ret = module->client_process(kcontext, -+ module->plugin_context, -+ *module->request_context_pp, -+ client_data_proc, -+ get_data_rock, -+ request, -+ encoded_request_body, -+ encoded_previous_request, -+ in_padata, -+ prompter, prompter_data, -+ gak_fct, gak_data, salt, s2kparams, -+ as_key, -+ &out_pa_data); -+ /* Make note of the module's flags and status. */ -+ *module_flags = module->flags; -+ *module_ret = ret; -+ /* Save the new preauth data item. */ -+ if (out_pa_data != NULL) { -+ ret = grow_pa_list(out_pa_list, out_pa_list_size, out_pa_data); -+ if (ret != 0) -+ return ret; -+ } -+ break; -+ } -+ if (i >= kcontext->preauth_context->n_modules) { -+ return ENOENT; -+ } -+ return 0; -+} - - static - krb5_error_code pa_salt(krb5_context context, -@@ -101,8 +563,8 @@ krb5_error_code pa_enc_timestamp(krb5_co - #ifdef DEBUG - fprintf (stderr, "%s:%d: salt len=%d", __FILE__, __LINE__, - salt->length); -- if (salt->length > 0) -- fprintf (stderr, " '%*s'", salt->length, salt->data); -+ if ((int) salt->length > 0) -+ fprintf (stderr, " '%.*s'", salt->length, salt->data); - fprintf (stderr, "; *etype=%d request->ktype[0]=%d\n", - *etype, request->ktype[0]); - #endif -@@ -819,15 +1281,88 @@ static const pa_types_t pa_types[] = { - }, - }; - --krb5_error_code -+/* -+ * If one of the modules can adjust its AS_REQ data using the contents of the -+ * err_reply, return 0. If it's the sort of correction which requires that we -+ * ask the user another question, we let the calling application deal with it. -+ */ -+krb5_error_code KRB5_CALLCONV -+krb5_do_preauth_tryagain(krb5_context kcontext, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data **padata, -+ krb5_pa_data ***return_padata, -+ krb5_error *err_reply, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_enctype *etype, -+ krb5_keyblock *as_key, -+ krb5_prompter_fct prompter, void *prompter_data, -+ krb5_gic_get_as_key_fct gak_fct, void *gak_data, -+ krb5_preauth_client_rock *get_data_rock) -+{ -+ krb5_error_code ret; -+ krb5_pa_data *out_padata; -+ krb5_preauth_context *context; -+ struct _krb5_preauth_context_module *module; -+ int i, j; -+ int out_pa_list_size = 0; -+ -+ ret = KRB5KRB_ERR_GENERIC; -+ if (kcontext->preauth_context == NULL) { -+ return KRB5KRB_ERR_GENERIC; -+ } -+ context = kcontext->preauth_context; -+ if (context == NULL) { -+ return KRB5KRB_ERR_GENERIC; -+ } -+ -+ for (i = 0; padata[i] != NULL && padata[i]->pa_type != 0; i++) { -+ out_padata = NULL; -+ for (j = 0; j < context->n_modules; j++) { -+ module = &context->modules[j]; -+ if (module->pa_type != padata[i]->pa_type) { -+ continue; -+ } -+ if (module->client_tryagain == NULL) { -+ continue; -+ } -+ if ((*module->client_tryagain)(kcontext, -+ module->plugin_context, -+ *module->request_context_pp, -+ client_data_proc, -+ get_data_rock, -+ request, -+ encoded_request_body, -+ encoded_previous_request, -+ padata[i], -+ err_reply, -+ prompter, prompter_data, -+ gak_fct, gak_data, salt, s2kparams, -+ as_key, -+ &out_padata) == 0) { -+ if (out_padata != NULL) { -+ grow_pa_list(return_padata, &out_pa_list_size, out_padata); -+ return 0; -+ } -+ } -+ } -+ } -+ return ret; -+} -+ -+krb5_error_code KRB5_CALLCONV - krb5_do_preauth(krb5_context context, - krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, - krb5_pa_data **in_padata, krb5_pa_data ***out_padata, - krb5_data *salt, krb5_data *s2kparams, - krb5_enctype *etype, - krb5_keyblock *as_key, - krb5_prompter_fct prompter, void *prompter_data, -- krb5_gic_get_as_key_fct gak_fct, void *gak_data) -+ krb5_gic_get_as_key_fct gak_fct, void *gak_data, -+ krb5_preauth_client_rock *get_data_rock) - { - int h, i, j, out_pa_list_size; - int seen_etype_info2 = 0; -@@ -844,9 +1379,9 @@ krb5_do_preauth(krb5_context context, - } - - #ifdef DEBUG -- fprintf (stderr, "salt len=%d", salt->length); -- if (salt->length > 0) -- fprintf (stderr, " '%*s'", salt->length, salt->data); -+ fprintf (stderr, "salt len=%d", (int) salt->length); -+ if ((int) salt->length > 0) -+ fprintf (stderr, " '%.*s'", salt->length, salt->data); - fprintf (stderr, "; preauth data types:"); - for (i = 0; in_padata[i]; i++) { - fprintf (stderr, " %d", in_padata[i]->pa_type); -@@ -953,7 +1488,7 @@ krb5_do_preauth(krb5_context context, - fprintf (stderr, "etype info %d: etype %d salt len=%d", - j, e->etype, e->length); - if (e->length > 0 && e->length != KRB5_ETYPE_NO_SALT) -- fprintf (stderr, " '%*s'", e->length, e->salt); -+ fprintf (stderr, " '%.*s'", e->length, e->salt); - fprintf (stderr, "\n"); - } - #endif -@@ -967,9 +1502,14 @@ krb5_do_preauth(krb5_context context, - default: - ; - } -- for (j=0; pa_types[j].type >= 0; j++) { -+ /* Try the internally-provided preauth type list. */ -+ if (!realdone) for (j=0; pa_types[j].type >= 0; j++) { - if ((in_padata[i]->pa_type == pa_types[j].type) && - (pa_types[j].flags & paorder[h])) { -+#ifdef DEBUG -+ fprintf (stderr, "calling internal function for pa_type " -+ "%d, flag %d\n", pa_types[j].type, paorder[h]); -+#endif - out_pa = NULL; - - if ((ret = ((*pa_types[j].fct)(context, request, -@@ -980,41 +1520,54 @@ krb5_do_preauth(krb5_context context, - goto cleanup; - } - -- if (out_pa) { -- if (out_pa_list == NULL) { -- if ((out_pa_list = -- (krb5_pa_data **) -- malloc(2*sizeof(krb5_pa_data *))) -- == NULL) { -- ret = ENOMEM; -- goto cleanup; -- } -- } else { -- if ((out_pa_list = -- (krb5_pa_data **) -- realloc(out_pa_list, -- (out_pa_list_size+2)* -- sizeof(krb5_pa_data *))) -- == NULL) { -- /* XXX this will leak the pointers which -- have already been allocated. oh well. */ -- ret = ENOMEM; -- goto cleanup; -- } -- } -- -- out_pa_list[out_pa_list_size++] = out_pa; -+ ret = grow_pa_list(&out_pa_list, &out_pa_list_size, -+ out_pa); -+ if (ret != 0) { -+ goto cleanup; - } - if (paorder[h] == PA_REAL) - realdone = 1; - } - } -+ -+ /* Try to use plugins now. */ -+ if (!realdone) { -+ krb5_init_preauth_context(context); -+ if (context->preauth_context != NULL) { -+ int module_ret, module_flags; -+#ifdef DEBUG -+ fprintf (stderr, "trying modules for pa_type %d, flag %d\n", -+ in_padata[i]->pa_type, paorder[h]); -+#endif -+ ret = krb5_run_preauth_plugins(context, -+ paorder[h], -+ request, -+ encoded_request_body, -+ encoded_previous_request, -+ in_padata[i], -+ prompter, -+ prompter_data, -+ gak_fct, -+ salt, s2kparams, -+ gak_data, -+ get_data_rock, -+ as_key, -+ &out_pa_list, -+ &out_pa_list_size, -+ &module_ret, -+ &module_flags); -+ if (ret == 0) { -+ if (module_ret == 0) { -+ if (paorder[h] == PA_REAL) { -+ realdone = 1; -+ } -+ } -+ } -+ } -+ } - } - } - -- if (out_pa_list) -- out_pa_list[out_pa_list_size++] = NULL; -- - *out_padata = out_pa_list; - if (etype_info) - krb5_free_etype_info(context, etype_info); ---- krb5/src/lib/krb5/krb/Makefile.in -+++ krb5/src/lib/krb5/krb/Makefile.in -@@ -6,7 +6,7 @@ RUN_SETUP = @KRB5_RUN_ENV@ - PROG_LIBPATH=-L$(TOPLIBD) - PROG_RPATH=$(KRB5_LIBDIR) - LOCALINCLUDES = -I$(srcdir)/../os -I$(SRCTOP) --DEFS= -+DEFS=-DLIBDIR=\"$(KRB5_LIBDIR)\" - - ##DOS##BUILDTOP = ..\..\.. - ##DOS##PREFIXDIR=krb ---- krb5/src/lib/krb5/krb/get_in_tkt.c 2005-08-15 20:38:17.000000000 -0400 -+++ krb5/src/lib/krb5/krb/get_in_tkt.c -@@ -78,6 +78,9 @@ typedef krb5_error_code (*git_decrypt_pr - static krb5_error_code make_preauth_list (krb5_context, - krb5_preauthtype *, - int, krb5_pa_data ***); -+static krb5_error_code sort_krb5_padata_sequence(krb5_context context, -+ krb5_data *realm, -+ krb5_pa_data **padata); - - /* - * This function performs 32 bit bounded addition so we can generate -@@ -105,7 +108,6 @@ static krb5_int32 krb5int_addint32 (krb5 - static krb5_error_code - send_as_request(krb5_context context, - krb5_kdc_req *request, -- krb5_timestamp *time_now, - krb5_error ** ret_err_reply, - krb5_kdc_rep ** ret_as_reply, - int *use_master) -@@ -116,17 +118,16 @@ send_as_request(krb5_context context, - krb5_data reply; - char k4_version; /* same type as *(krb5_data::data) */ - int tcp_only = 0; -+ krb5_timestamp time_now; - - reply.data = 0; -- -- if ((retval = krb5_timeofday(context, time_now))) -- goto cleanup; - -- /* -- * XXX we know they are the same size... and we should do -- * something better than just the current time -- */ -- request->nonce = (krb5_int32) *time_now; -+ /* set the nonce if the caller expects us to do it */ -+ if (request->nonce == 0) { -+ if ((retval = krb5_timeofday(context, &time_now))) -+ goto cleanup; -+ request->nonce = (krb5_int32) time_now; -+ } - - /* encode & send to KDC */ - if ((retval = encode_krb5_as_req(request, &packet)) != 0) -@@ -437,7 +438,6 @@ static const krb5_enctype get_in_tkt_enc - 0 - }; - -- - krb5_error_code KRB5_CALLCONV - krb5_get_in_tkt(krb5_context context, - const krb5_flags options, -@@ -486,6 +486,7 @@ krb5_get_in_tkt(krb5_context context, - request.kdc_options = options; - request.client = creds->client; - request.server = creds->server; -+ request.nonce = 0; - request.from = creds->times.starttime; - request.till = creds->times.endtime; - request.rtime = creds->times.renew_till; -@@ -553,7 +554,17 @@ krb5_get_in_tkt(krb5_context context, - - err_reply = 0; - as_reply = 0; -- if ((retval = send_as_request(context, &request, &time_now, &err_reply, -+ -+ if ((retval = krb5_timeofday(context, &time_now))) -+ goto cleanup; -+ -+ /* -+ * XXX we know they are the same size... and we should do -+ * something better than just the current time -+ */ -+ request.nonce = (krb5_int32) time_now; -+ -+ if ((retval = send_as_request(context, &request, &err_reply, - &as_reply, &use_master))) - goto cleanup; - -@@ -565,6 +576,11 @@ krb5_get_in_tkt(krb5_context context, - krb5_free_error(context, err_reply); - if (retval) - goto cleanup; -+ retval = sort_krb5_padata_sequence(context, -+ &request.server->realm, -+ padata); -+ if (retval) -+ goto cleanup; - continue; - } else { - retval = (krb5_error_code) err_reply->error -@@ -746,6 +762,79 @@ krb5_libdefault_boolean(krb5_context con - return(0); - } - -+/* Sort a pa_data sequence so that types named in the "preferred_preauth_types" -+ * libdefaults entry are listed before any others. */ -+static krb5_error_code -+sort_krb5_padata_sequence(krb5_context context, krb5_data *realm, -+ krb5_pa_data **padata) -+{ -+ int i, j, base; -+ krb5_error_code ret; -+ const char *p; -+ long l; -+ char *q, *preauth_types = NULL; -+ krb5_pa_data *tmp; -+ int need_free_string = 1; -+ -+ if ((padata == NULL) || (padata[0] == NULL)) { -+ return 0; -+ } -+ -+ ret = krb5_libdefault_string(context, realm, "preferred_preauth_types", -+ &preauth_types); -+ if ((ret != 0) || (preauth_types == NULL)) { -+ /* Try to use PKINIT first. */ -+ preauth_types = "17, 16, 15, 14"; -+ need_free_string = 0; -+ } -+ -+#ifdef DEBUG -+ fprintf (stderr, "preauth data types before sorting:"); -+ for (i = 0; padata[i]; i++) { -+ fprintf (stderr, " %d", padata[i]->pa_type); -+ } -+ fprintf (stderr, "\n"); -+#endif -+ -+ base = 0; -+ for (p = preauth_types; *p != '\0';) { -+ /* skip whitespace to find an entry */ -+ p += strspn(p, ", "); -+ if (*p != '\0') { -+ /* see if we can extract a number */ -+ l = strtol(p, &q, 10); -+ if ((q != NULL) && (q > p)) { -+ /* got a valid number; search for a matchin entry */ -+ for (i = base; padata[i] != NULL; i++) { -+ /* bubble the matching entry to the front of the list */ -+ if (padata[i]->pa_type == l) { -+ tmp = padata[i]; -+ for (j = i; j > base; j--) -+ padata[j] = padata[j - 1]; -+ padata[base] = tmp; -+ base++; -+ break; -+ } -+ } -+ p = q; -+ } else { -+ break; -+ } -+ } -+ } -+ if (need_free_string) -+ free(preauth_types); -+ -+#ifdef DEBUG -+ fprintf (stderr, "preauth data types after sorting:"); -+ for (i = 0; padata[i]; i++) -+ fprintf (stderr, " %d", padata[i]->pa_type); -+ fprintf (stderr, "\n"); -+#endif -+ -+ return 0; -+} -+ - krb5_error_code KRB5_CALLCONV - krb5_get_init_creds(krb5_context context, - krb5_creds *creds, -@@ -762,7 +851,8 @@ krb5_get_init_creds(krb5_context context - { - krb5_error_code ret; - krb5_kdc_req request; -- krb5_pa_data **padata; -+ krb5_data *encoded_request_body, *encoded_previous_request; -+ krb5_pa_data **preauth_to_use, **kdc_padata; - int tempint; - char *tempstr; - krb5_deltat tkt_life; -@@ -775,6 +865,7 @@ krb5_get_init_creds(krb5_context context - krb5_kdc_rep *local_as_reply; - krb5_timestamp time_now; - krb5_enctype etype = 0; -+ krb5_preauth_client_rock get_data_rock; - - /* initialize everything which will be freed at cleanup */ - -@@ -784,19 +875,27 @@ krb5_get_init_creds(krb5_context context - request.ktype = NULL; - request.addresses = NULL; - request.padata = NULL; -- padata = NULL; -+ encoded_request_body = NULL; -+ encoded_previous_request = NULL; -+ preauth_to_use = NULL; -+ kdc_padata = NULL; - as_key.length = 0; - salt.length = 0; - salt.data = NULL; - - local_as_reply = 0; - -+ err_reply = NULL; -+ - /* - * Set up the basic request structure - */ - request.magic = KV5M_KDC_REQ; - request.msg_type = KRB5_AS_REQ; - -+ /* request.nonce is filled in when we send a request to the kdc */ -+ request.nonce = 0; -+ - /* request.padata is filled in later */ - - request.kdc_options = context->kdc_default_options; -@@ -921,7 +1020,9 @@ krb5_get_init_creds(krb5_context context - goto cleanup; - } - -- /* nonce is filled in by send_as_request */ -+ krb5_preauth_request_context_init(context); -+ -+ /* nonce is filled in by send_as_request if we don't take care of it */ - - if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST)) { - request.ktype = options->etype_list; -@@ -960,8 +1061,8 @@ krb5_get_init_creds(krb5_context context - - if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST)) { - if ((ret = make_preauth_list(context, options->preauth_list, -- options->preauth_list_length, -- &padata))) -+ options->preauth_list_length, -+ &preauth_to_use))) - goto cleanup; - } - -@@ -975,44 +1076,118 @@ krb5_get_init_creds(krb5_context context - salt.data = NULL; - } - -- /* now, loop processing preauth data and talking to the kdc */ - -+ /* set the request nonce */ -+ if ((ret = krb5_timeofday(context, &time_now))) -+ goto cleanup; -+ /* -+ * XXX we know they are the same size... and we should do -+ * something better than just the current time -+ */ -+ request.nonce = (krb5_int32) time_now; -+ -+ /* give the preauth plugins a chance to prep the request body */ -+ krb5_preauth_prepare_request(context, options, &request); -+ ret = encode_krb5_kdc_req_body(&request, &encoded_request_body); -+ if (ret) -+ goto cleanup; -+ -+ get_data_rock.magic = CLIENT_ROCK_MAGIC; -+ get_data_rock.as_reply = NULL; -+ -+ /* now, loop processing preauth data and talking to the kdc */ - for (loopcount = 0; loopcount < MAX_IN_TKT_LOOPS; loopcount++) { - if (request.padata) { - krb5_free_pa_data(context, request.padata); - request.padata = NULL; - } -+ if (!err_reply) { -+ /* either our first attempt, or retrying after PREAUTH_NEEDED */ -+ if ((ret = krb5_do_preauth(context, -+ &request, -+ encoded_request_body, -+ encoded_previous_request, -+ preauth_to_use, &request.padata, -+ &salt, &s2kparams, &etype, &as_key, -+ prompter, prompter_data, -+ gak_fct, gak_data, -+ &get_data_rock))) -+ goto cleanup; -+ } else { -+ if (preauth_to_use != NULL) { -+ /* -+ * Retry after an error other than PREAUTH_NEEDED, -+ * using e-data to figure out what to change. -+ */ -+ ret = krb5_do_preauth_tryagain(context, -+ &request, -+ encoded_request_body, -+ encoded_previous_request, -+ preauth_to_use, &request.padata, -+ err_reply, -+ &salt, &s2kparams, &etype, -+ &as_key, -+ prompter, prompter_data, -+ gak_fct, gak_data, -+ &get_data_rock); -+ } else { -+ /* No preauth supplied, so can't query the plug-ins. */ -+ ret = KRB5KRB_ERR_GENERIC; -+ } -+ if (ret) { -+ /* couldn't come up with anything better */ -+ ret = err_reply->error + ERROR_TABLE_BASE_krb5; -+ } -+ krb5_free_error(context, err_reply); -+ err_reply = NULL; -+ if (ret) -+ goto cleanup; -+ } - -- if ((ret = krb5_do_preauth(context, &request, -- padata, &request.padata, -- &salt, &s2kparams, &etype, &as_key, prompter, -- prompter_data, gak_fct, gak_data))) -+ if (encoded_previous_request != NULL) { -+ krb5_free_data(context, encoded_previous_request); -+ encoded_previous_request = NULL; -+ } -+ ret = encode_krb5_as_req(&request, &encoded_previous_request); -+ if (ret) - goto cleanup; - -- if (padata) { -- krb5_free_pa_data(context, padata); -- padata = 0; -- } -- - err_reply = 0; - local_as_reply = 0; -- if ((ret = send_as_request(context, &request, &time_now, &err_reply, -+ if ((ret = send_as_request(context, &request, &err_reply, - &local_as_reply, use_master))) - goto cleanup; - - if (err_reply) { - if (err_reply->error == KDC_ERR_PREAUTH_REQUIRED && - err_reply->e_data.length > 0) { -+ /* reset the list of preauth types to try */ -+ if (preauth_to_use) { -+ krb5_free_pa_data(context, preauth_to_use); -+ preauth_to_use = NULL; -+ } - ret = decode_krb5_padata_sequence(&err_reply->e_data, -- &padata); -+ &preauth_to_use); - krb5_free_error(context, err_reply); -+ err_reply = NULL; -+ if (ret) -+ goto cleanup; -+ ret = sort_krb5_padata_sequence(context, -+ &request.server->realm, -+ preauth_to_use); - if (ret) - goto cleanup; -+ /* continue to next iteration */ - } else { -- ret = (krb5_error_code) err_reply->error -- + ERROR_TABLE_BASE_krb5; -- krb5_free_error(context, err_reply); -- goto cleanup; -+ if (err_reply->e_data.length > 0) { -+ /* continue to next iteration */ -+ } else { -+ /* error + no hints = give up */ -+ ret = (krb5_error_code) err_reply->error -+ + ERROR_TABLE_BASE_krb5; -+ krb5_free_error(context, err_reply); -+ goto cleanup; -+ } - } - } else if (local_as_reply) { - break; -@@ -1028,16 +1203,20 @@ krb5_get_init_creds(krb5_context context - } - - /* process any preauth data in the as_reply */ -- -- if ((ret = krb5_do_preauth(context, &request, -- local_as_reply->padata, &padata, -+ krb5_clear_preauth_context_use_counts(context); -+ if ((ret = sort_krb5_padata_sequence(context, &request.server->realm, -+ local_as_reply->padata))) -+ goto cleanup; -+ get_data_rock.as_reply = local_as_reply; -+ if ((ret = krb5_do_preauth(context, -+ &request, -+ encoded_request_body, encoded_previous_request, -+ local_as_reply->padata, &kdc_padata, - &salt, &s2kparams, &etype, &as_key, prompter, -- prompter_data, gak_fct, gak_data))) -+ prompter_data, gak_fct, gak_data, -+ &get_data_rock))) - goto cleanup; - -- /* XXX if there's padata on output, something is wrong, but it's -- not obviously an error */ -- - /* XXX For 1.1.1 and prior KDC's, when SAM is used w/ USE_SAD_AS_KEY, - the AS_REP comes back encrypted in the user's longterm key - instead of in the SAD. If there was a SAM preauth, there -@@ -1090,6 +1269,15 @@ krb5_get_init_creds(krb5_context context - ret = 0; - - cleanup: -+ krb5_preauth_request_context_fini(context); -+ if (encoded_previous_request != NULL) { -+ krb5_free_data(context, encoded_previous_request); -+ encoded_previous_request = NULL; -+ } -+ if (encoded_request_body != NULL) { -+ krb5_free_data(context, encoded_request_body); -+ encoded_request_body = NULL; -+ } - if (request.server) - krb5_free_principal(context, request.server); - if (request.ktype && -@@ -1099,8 +1287,10 @@ cleanup: - (!(options && - (options->flags & KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST)))) - krb5_free_addresses(context, request.addresses); -- if (padata) -- krb5_free_pa_data(context, padata); -+ if (preauth_to_use) -+ krb5_free_pa_data(context, preauth_to_use); -+ if (kdc_padata) -+ krb5_free_pa_data(context, kdc_padata); - if (request.padata) - krb5_free_pa_data(context, request.padata); - if (as_key.length) ---- krb5/src/lib/krb5/error_tables/krb5_err.et -+++ krb5/src/lib/krb5/error_tables/krb5_err.et -@@ -103,26 +103,26 @@ error_code KRB5PLACEHOLD_58, "KRB5 error - error_code KRB5PLACEHOLD_59, "KRB5 error code 59" - error_code KRB5KRB_ERR_GENERIC, "Generic error (see e-text)" - error_code KRB5KRB_ERR_FIELD_TOOLONG, "Field is too long for this implementation" --error_code KRB5PLACEHOLD_62, "KRB5 error code 62" --error_code KRB5PLACEHOLD_63, "KRB5 error code 63" --error_code KRB5PLACEHOLD_64, "KRB5 error code 64" --error_code KRB5PLACEHOLD_65, "KRB5 error code 65" --error_code KRB5PLACEHOLD_66, "KRB5 error code 66" -+error_code KRB5KDC_ERR_CLIENT_NOT_TRUSTED, "Client not trusted" -+error_code KRB5KDC_ERR_KDC_NOT_TRUSTED, "KDC not trusted" -+error_code KRB5KDC_ERR_INVALID_SIG, "Invalid signature" -+error_code KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED, "Key parameters not accepted" -+error_code KRB5KDC_ERR_CERTIFICATE_MISMATCH, "Certificate mismatch" - error_code KRB5PLACEHOLD_67, "KRB5 error code 67" - error_code KRB5PLACEHOLD_68, "KRB5 error code 68" - error_code KRB5PLACEHOLD_69, "KRB5 error code 69" --error_code KRB5PLACEHOLD_70, "KRB5 error code 70" --error_code KRB5PLACEHOLD_71, "KRB5 error code 71" --error_code KRB5PLACEHOLD_72, "KRB5 error code 72" --error_code KRB5PLACEHOLD_73, "KRB5 error code 73" --error_code KRB5PLACEHOLD_74, "KRB5 error code 74" --error_code KRB5PLACEHOLD_75, "KRB5 error code 75" --error_code KRB5PLACEHOLD_76, "KRB5 error code 76" --error_code KRB5PLACEHOLD_77, "KRB5 error code 77" --error_code KRB5PLACEHOLD_78, "KRB5 error code 78" --error_code KRB5PLACEHOLD_79, "KRB5 error code 79" --error_code KRB5PLACEHOLD_80, "KRB5 error code 80" --error_code KRB5PLACEHOLD_81, "KRB5 error code 81" -+error_code KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE, "Can't verify certificate" -+error_code KRB5KDC_ERR_INVALID_CERTIFICATE, "Invalid certificate" -+error_code KRB5KDC_ERR_REVOKED_CERTIFICATE, "Revoked certificate" -+error_code KRB5KDC_ERR_REVOCATION_STATUS_UNKNOWN, "Revocation status unknown" -+error_code KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE, "Revocation status unavailable" -+error_code KRB5KDC_ERR_CLIENT_NAME_MISMATCH, "Client name mismatch" -+error_code KRB5KDC_ERR_KDC_NAME_MISMATCH, "KDC name mismatch" -+error_code KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE, "Inconsistent key purpose" -+error_code KRB5KDC_ERR_DIGEST_IN_CERT_NOT_ACCEPTED, "Digest in certificate not accepted" -+error_code KRB5KDC_ERR_PA_CHECKSUM_MUST_BE_INCLUDED, "Checksum must be included" -+error_code KRB5KDC_ERR_DIGEST_IN_SIGNED_DATA_NOT_ACCEPTED, "Digest in signed-data not accepted" -+error_code KRB5KDC_ERR_PUBLIC_KEY_ENCRYPTION_NOT_SUPPORTED, "Public key encryption not supported" - error_code KRB5PLACEHOLD_82, "KRB5 error code 82" - error_code KRB5PLACEHOLD_83, "KRB5 error code 83" - error_code KRB5PLACEHOLD_84, "KRB5 error code 84" ---- krb5/src/include/k5-int.h -+++ krb5/src/include/k5-int.h -@@ -835,6 +835,90 @@ error(MIT_DES_KEYSIZE does not equal KRB - #ifndef KRB5_PREAUTH__ - #define KRB5_PREAUTH__ - -+#include -+ -+#define CLIENT_ROCK_MAGIC 0x4352434b -+/* This structure is passed into the client preauth functions and passed -+ * back to the "get_data_proc" function so that it can locate the -+ * requested information. It is opaque to the plugin code and can be -+ * expanded in the future as new types of requests are defined which -+ * may require other things to be passed through. */ -+typedef struct _krb5_preauth_client_rock { -+ krb5_magic magic; -+ krb5_kdc_rep *as_reply; -+} krb5_preauth_client_rock; -+ -+/* This structure lets us keep track of all of the modules which are loaded, -+ * turning the list of modules and their lists of implemented preauth types -+ * into a single list which we can walk easily. */ -+typedef struct _krb5_preauth_context { -+ int n_modules; -+ struct _krb5_preauth_context_module { -+ /* Which of the possibly more than one preauth types which the -+ * module supports we're using at this point in the list. */ -+ krb5_preauthtype pa_type; -+ /* Encryption types which the client claims to support -- we -+ * copy them directly into the krb5_kdc_req structure during -+ * krb5_preauth_prepare_request(). */ -+ krb5_enctype *enctypes; -+ /* The plugin's per-plugin context and a function to clear it. */ -+ void *plugin_context; -+ void (*client_fini)(krb5_context context, void *plugin_context); -+ /* The module's table, and some of its members, copied here for -+ * convenience when we populated the list. */ -+ struct krb5plugin_preauth_client_ftable_v0 *ftable; -+ const char *name; -+ int flags, use_count; -+ krb5_error_code (*client_process)(krb5_context context, -+ void *plugin_context, -+ void *request_context, -+ preauth_get_client_data_proc get_data_proc, -+ krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *pa_data, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, -+ krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **out_pa_data); -+ krb5_error_code (*client_tryagain)(krb5_context context, -+ void *plugin_context, -+ void *request_context, -+ preauth_get_client_data_proc get_data_proc, -+ krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *old_pa_data, -+ krb5_error *err_reply, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, -+ krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **new_pa_data); -+ void (*client_req_init)(krb5_context context, void *plugin_context, -+ void **request_context); -+ void (*client_req_fini)(krb5_context context, void *plugin_context, -+ void *request_context); -+ /* The per-request context which the client_req_init() function -+ * might allocate, which we'll need to clean up later by -+ * calling the client_req_fini() function. */ -+ void *request_context; -+ /* A pointer to the request_context pointer. All modules within -+ * a plugin will point at the request_context of the first -+ * module within the plugin. */ -+ void **request_context_pp; -+ } *modules; -+} krb5_preauth_context; -+ - typedef struct _krb5_pa_enc_ts { - krb5_timestamp patimestamp; - krb5_int32 pausec; -@@ -961,14 +1045,41 @@ void krb5int_populate_gic_opt ( - krb5_preauthtype *pre_auth_types, krb5_creds *creds); - - --krb5_error_code krb5_do_preauth --(krb5_context, krb5_kdc_req *, -- krb5_pa_data **, krb5_pa_data ***, -- krb5_data *salt, krb5_data *s2kparams, -- krb5_enctype *, -- krb5_keyblock *, -- krb5_prompter_fct, void *, -- krb5_gic_get_as_key_fct, void *); -+krb5_error_code KRB5_CALLCONV krb5_do_preauth -+ (krb5_context context, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data **in_padata, krb5_pa_data ***out_padata, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_enctype *etype, krb5_keyblock *as_key, -+ krb5_prompter_fct prompter, void *prompter_data, -+ krb5_gic_get_as_key_fct gak_fct, void *gak_data, -+ krb5_preauth_client_rock *get_data_rock); -+krb5_error_code KRB5_CALLCONV krb5_do_preauth_tryagain -+ (krb5_context context, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data **in_padata, krb5_pa_data ***out_padata, -+ krb5_error *err_reply, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_enctype *etype, krb5_keyblock *as_key, -+ krb5_prompter_fct prompter, void *prompter_data, -+ krb5_gic_get_as_key_fct gak_fct, void *gak_data, -+ krb5_preauth_client_rock *get_data_rock); -+void KRB5_CALLCONV krb5_init_preauth_context -+ (krb5_context); -+void KRB5_CALLCONV krb5_free_preauth_context -+ (krb5_context); -+void KRB5_CALLCONV krb5_clear_preauth_context_use_counts -+ (krb5_context); -+void KRB5_CALLCONV krb5_preauth_prepare_request -+ (krb5_context, krb5_get_init_creds_opt *, krb5_kdc_req *); -+void KRB5_CALLCONV krb5_preauth_request_context_init -+ (krb5_context); -+void KRB5_CALLCONV krb5_preauth_request_context_fini -+ (krb5_context); - - void KRB5_CALLCONV krb5_free_sam_challenge - (krb5_context, krb5_sam_challenge * ); -@@ -1059,6 +1174,10 @@ struct _krb5_context { - struct krb5plugin_service_locate_ftable *vtbl; - void (**locate_fptrs)(void); - -+ /* preauth module stuff */ -+ struct plugin_dir_handle preauth_plugins; -+ krb5_preauth_context *preauth_context; -+ - /* error detail info */ - struct errinfo err; - }; ---- krb5/src/include/kdb.h -+++ krb5/src/include/kdb.h -@@ -171,6 +171,7 @@ typedef struct __krb5_key_salt_tuple { - #define KRB5_TL_SECURID_STATE 0x0006 - #define KRB5_TL_DB_ARGS 0x7fff - #endif /* SECURID */ -+#define KRB5_TL_USER_CERTIFICATE 0x0007 - - /* - * Determines the number of failed KDC requests before DISALLOW_ALL_TIX is set ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/include/krb5/preauth_plugin.h -@@ -0,0 +1,326 @@ -+/* -+ * -+ * -+ * Copyright (c) 2006 Red Hat, Inc. -+ * Portions copyright (c) 2006 Massachusetts Institute of Technology -+ * All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Red Hat, Inc., nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ * Preauthentication plugin definitions for Kerberos 5. -+ */ -+ -+#ifndef KRB5_PREAUTH_PLUGIN_H_INCLUDED -+#define KRB5_PREAUTH_PLUGIN_H_INCLUDED -+#include -+ -+/* -+ * While arguments of these types are passed-in, for the most part a preauth -+ * module can treat them as opaque. If we need keying data, we can ask for -+ * it directly. -+ */ -+struct _krb5_db_entry_new; -+struct _krb5_key_data; -+struct _krb5_preauth_client_rock; -+ -+/* -+ * Preauth mechanism property flags, unified from previous definitions in the -+ * KDC and libkrb5 sources. -+ */ -+ -+/* Provides a real answer which we can send back to the KDC (client-only). The -+ * client assumes that one real answer will be enough. */ -+#define PA_REAL 0x00000001 -+ -+/* Doesn't provide a real answer, but must be given a chance to run before any -+ * REAL mechanism callbacks (client-only). */ -+#define PA_INFO 0x00000002 -+ -+/* Causes the KDC to include this mechanism in a list of supported preauth -+ * types if the user's DB entry flags the user as requiring hardware-based -+ * preauthentication (server-only). */ -+#define PA_HARDWARE 0x00000004 -+ -+/* Causes the KDC to include this mechanism in a list of supported preauth -+ * types if the user's DB entry flags the user as requiring preauthentication, -+ * and to fail preauthentication if we can't verify the client data. The -+ * flipside of PA_SUFFICIENT (server-only). */ -+#define PA_REQUIRED 0x00000008 -+ -+/* Causes the KDC to include this mechanism in a list of supported preauth -+ * types if the user's DB entry flags the user as requiring preauthentication, -+ * and to mark preauthentication as successful if we can verify the client -+ * data. The flipside of PA_REQUIRED (server-only). */ -+#define PA_SUFFICIENT 0x00000010 -+ -+/* Marks this preauthentication mechanism as one which changes the key which is -+ * used for encrypting the response to the client. Modules which have this -+ * flag have their server_return_proc called before modules which do not, and -+ * are passed over if a previously-called module has modified the encrypting -+ * key (server-only). */ -+#define PA_REPLACES_KEY 0x00000020 -+ -+/* Causes the KDC to check with this preauthentication module even if the -+ * client has no entry in the realm database. If the module returns a success -+ * code, continue processing and assume that its return_padata callback will -+ * supply us with a key for encrypting the AS reply (server-only). */ -+/* #define PA_VIRTUAL (0x00000040 | PA_REPLACES_KEY) */ -+ -+/* Not really a padata type, so don't include it in any list of preauth types -+ * which gets sent over the wire. */ -+#define PA_PSEUDO 0x00000080 -+ -+/* -+ * A server module's callback functions are allowed to request specific types -+ * of information about the given client or server record or request, even -+ * though the database records themselves are opaque to the module. -+ */ -+enum krb5plugin_preauth_entry_request_type { -+ /* The returned krb5_data item holds a DER-encoded X.509 certificate. */ -+ krb5plugin_preauth_entry_request_certificate = 1, -+ /* The returned krb5_data_item holds a krb5_deltat. */ -+ krb5plugin_preauth_entry_max_time_skew = 2, -+ /* The returned krb5_data_item holds an array of krb5_keyblock structures, -+ * terminated by an entry with key type = 0. -+ * Each keyblock should have its contents freed in turn, and then the data -+ * item itself should be freed. */ -+ krb5plugin_preauth_keys = 3, -+ /* The returned krb5_data_item holds the request structure, re-encoded -+ * using DER. Unless the client implementation is the same as the server -+ * implementation, there's a good chance that the result will not match -+ * what the client sent, so don't go creating any fatal errors if it -+ * doesn't match up. */ -+ krb5plugin_preauth_request_body = 4 -+}; -+typedef krb5_error_code -+(*preauth_get_entry_data_proc)(krb5_context, -+ krb5_kdc_req *, -+ struct _krb5_db_entry_new *, -+ krb5_int32 request_type, -+ krb5_data **); -+ -+/* -+ * A client module's callback functions are allowed to request various -+ * information to enable it to process a request. -+ */ -+enum krb5plugin_preauth_client_request_type { -+ /* The returned krb5_data item holds the enctype used to encrypt the -+ * encrypted portion of the AS_REP packet. */ -+ krb5plugin_preauth_client_get_etype = 1, -+ /* Free the data returned from krb5plugin_preauth_client_req_get_etype */ -+ krb5plugin_preauth_client_free_etype = 2 -+}; -+typedef krb5_error_code -+(*preauth_get_client_data_proc)(krb5_context, -+ struct _krb5_preauth_client_rock *, -+ krb5_int32 request_type, -+ krb5_data **); -+ -+/* -+ * A callback which will obtain the user's long-term AS key by prompting the -+ * user for the password, then salting it properly, and so on. For the moment, -+ * it's identical to the get_as_key callback used inside of libkrb5, but we -+ * define a new typedef here instead of making the existing one public to -+ * isolate ourselves from potential future changes. -+ */ -+typedef krb5_error_code -+(*preauth_get_as_key_proc)(krb5_context, -+ krb5_principal, -+ krb5_enctype, -+ krb5_prompter_fct, -+ void *prompter_data, -+ krb5_data *salt, -+ krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ void *gak_data); -+ -+/* -+ * The function table / structure which a preauth client module must export as -+ * "preauthentication_client_0_backport_1_6". If the interfaces work correctly, future -+ * versions of the table will add either more callbacks or more arguments to -+ * callbacks, and in both cases we'll be able to wrap the v0 functions. -+ */ -+typedef struct krb5plugin_preauth_client_ftable_v0 { -+ /* Not-usually-visible name. */ -+ char *name; -+ -+ /* Pointer to zero-terminated list of pa_types which this module can -+ * provide services for. */ -+ krb5_preauthtype *pa_type_list; -+ -+ /* Pointer to zero-terminated list of enc_types which this module claims -+ * to add support for. */ -+ krb5_enctype *enctype_list; -+ -+ /* Per-plugin initialization/cleanup. The init function is called -+ * by libkrb5 when the plugin is loaded, and the fini function is -+ * called before the plugin is unloaded. Both are optional and -+ * may be called multiple times in case the plugin is used in -+ * multiple contexts. The returned context lives the lifetime of -+ * the krb5_context */ -+ krb5_error_code (*init)(krb5_context context, void **plugin_context); -+ void (*fini)(krb5_context context, void *plugin_context); -+ /* A callback which returns flags indicating if the module is a "real" or -+ * an "info" mechanism, and so on. This function is called for each entry -+ * in the client_pa_type_list. */ -+ int (*flags)(krb5_context context, krb5_preauthtype pa_type); -+ /* Per-request initialization/cleanup. The request_init function is -+ * called when beginning to process a get_init_creds request and the -+ * request_fini function is called when processing of the request is -+ * complete. This is optional. It may be called multiple times in -+ * the lifetime of a krb5_context. */ -+ void (*request_init)(krb5_context context, void *plugin_context, -+ void **request_context); -+ void (*request_fini)(krb5_context context, void *plugin_context, -+ void *request_context); -+ /* Client function which processes server-supplied data in pa_data, -+ * returns created data in out_pa_data, storing any of its own state in -+ * client_context if data for the associated preauthentication type is -+ * needed. It is also called after the AS-REP is received if the AS-REP -+ * includes preauthentication data of the associated type. -+ * NOTE! the encoded_previous_request will be NULL the first time this -+ * function is called, because it is expected to only ever contain the data -+ * obtained from a previous call to this function. */ -+ krb5_error_code (*process)(krb5_context context, -+ void *plugin_context, -+ void *request_context, -+ preauth_get_client_data_proc get_data_proc, -+ struct _krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *pa_data, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **out_pa_data); -+ /* Client function which can attempt to use e-data in the error response to -+ * try to recover from the given error. If this function is not NULL, and -+ * it stores data in out_pa_data which is different data from the contents -+ * of in_pa_data, then the client library will retransmit the request. */ -+ krb5_error_code (*tryagain)(krb5_context context, -+ void *plugin_context, -+ void *request_context, -+ preauth_get_client_data_proc get_data_proc, -+ struct _krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *in_pa_data, -+ krb5_error *error, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **out_pa_data); -+} krb5plugin_preauth_client_ftable_v0; -+ -+/* -+ * The function table / structure which a preauth server module must export as -+ * "preauthentication_server_0_backport_1_6". NOTE: replace "0" with "1" for the type and -+ * variable names if this gets picked up by upstream. If the interfaces work -+ * correctly, future versions of the table will add either more callbacks or -+ * more arguments to callbacks, and in both cases we'll be able to wrap the v0 -+ * functions. -+ */ -+typedef struct krb5plugin_preauth_server_ftable_v0 { -+ /* Not-usually-visible name. */ -+ char *name; -+ -+ /* Pointer to zero-terminated list of pa_types which this module can -+ * provide services for. */ -+ krb5_preauthtype *pa_type_list; -+ -+ /* Per-plugin initialization/cleanup. The init function is called by the -+ * KDC when the plugin is loaded, and the fini function is called before -+ * the plugin is unloaded. Both are optional. */ -+ krb5_error_code (*init_proc)(krb5_context, void **); -+ void (*fini_proc)(krb5_context, void *); -+ /* Return the flags which the KDC should use for this module. This is a -+ * callback instead of a static value because the module may or may not -+ * wish to count itself as a hardware preauthentication module (in other -+ * words, the flags may be affected by the configuration, for example if a -+ * site administrator can force a particular preauthentication type to be -+ * supported using only hardware). This function is called for each entry -+ * entry in the server_pa_type_list. */ -+ int (*flags_proc)(krb5_context, krb5_preauthtype); -+ /* Get preauthentication data to send to the client as part of the "you -+ * need to use preauthentication" error. The module doesn't need to -+ * actually provide data if the protocol doesn't require it, but it should -+ * return either zero or non-zero to control whether its padata type is -+ * included in the list which is sent back to the client. Is not allowed -+ * to create a context because we have no guarantee that the client will -+ * ever call again (or that it will hit this server if it does), in which -+ * case a context might otherwise hang around forever. */ -+ krb5_error_code (*edata_proc)(krb5_context, krb5_kdc_req *request, -+ struct _krb5_db_entry_new *client, -+ struct _krb5_db_entry_new *server, -+ preauth_get_entry_data_proc, -+ void *pa_module_context, -+ krb5_pa_data *data); -+ /* Verify preauthentication data sent by the client, setting the -+ * TKT_FLG_PRE_AUTH or TKT_FLG_HW_AUTH flag in the enc_tkt_reply's "flags" -+ * field as appropriate, and returning nonzero on failure. Can create -+ * context data for consumption by the return_proc or freepa_proc below. */ -+ krb5_error_code (*verify_proc)(krb5_context, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_enc_tkt_part *enc_tkt_reply, -+ krb5_pa_data *data, -+ preauth_get_entry_data_proc, -+ void *pa_module_context, -+ void **pa_request_context, -+ krb5_data **e_data); -+ /* Generate preauthentication response data to send to the client as part -+ * of the AS-REP. If it needs to override the key which is used to encrypt -+ * the response, it can do so. The module is expected (but not required, -+ * if a freepa_proc is also provided) to free any context data it saved in -+ * "request_pa_context". */ -+ krb5_error_code (*return_proc)(krb5_context, krb5_pa_data * padata, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_kdc_rep *reply, -+ struct _krb5_key_data *client_keys, -+ krb5_keyblock *encrypting_key, -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc, -+ void *pa_module_context, -+ void **pa_request_context); -+ /* Free up the server-side per-request context, in cases where -+ * server_return_proc() didn't or for whatever reason was not called. Can -+ * be NULL. */ -+ krb5_error_code (*freepa_reqcontext_proc)(krb5_context, -+ void *pa_module_context, -+ void **request_pa_context); -+} krb5plugin_preauth_server_ftable_v0; -+#endif /* KRB5_PREAUTH_PLUGIN_H_INCLUDED */ ---- krb5/src/config/pre.in -+++ krb5/src/config/pre.in -@@ -194,6 +194,7 @@ prefix=@prefix@ - INSTALL_PREFIX=$(prefix) - INSTALL_EXEC_PREFIX=@exec_prefix@ - exec_prefix=@exec_prefix@ -+datarootdir=@datarootdir@ - SHLIB_TAIL_COMP=@SHLIB_TAIL_COMP@ - - datadir = @datadir@ -@@ -212,6 +213,7 @@ KRB5_SHLIBDIR = @libdir@$(SHLIB_TAIL_COM - KRB5_INCDIR = @includedir@ - MODULE_DIR = @libdir@/krb5/plugins - KRB5_DB_MODULE_DIR = $(MODULE_DIR)/kdb -+KRB5_PA_MODULE_DIR = $(MODULE_DIR)/preauth - KRB5_LIBKRB5_MODULE_DIR = $(MODULE_DIR)/libkrb5 - KRB5_INCSUBDIRS = \ - $(KRB5_INCDIR)/krb5 \ ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/wpse/configure.in -@@ -0,0 +1,14 @@ -+K5_AC_INIT(configure.in) -+enable_shared=yes -+build_dynobj=yes -+CONFIG_RULES -+ -+AC_CHECK_HEADERS(errno.h string.h) -+ -+KRB5_RUN_FLAGS -+dnl The following is for check... -+KRB5_BUILD_PROGRAM -+KRB5_BUILD_LIBOBJS -+KRB5_BUILD_LIBRARY_WITH_DEPS -+AC_CONFIG_HEADERS(config.h) -+V5_AC_OUTPUT_MAKEFILE ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/wpse/Makefile.in -@@ -0,0 +1,42 @@ -+thisconfigdir=. -+myfulldir=plugins/preauth/wpse -+mydir=. -+BUILDTOP=$(REL)..$(S)..$(S).. -+KRB5_RUN_ENV = @KRB5_RUN_ENV@ -+KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; -+PROG_LIBPATH=-L$(TOPLIBD) -+PROG_RPATH=$(KRB5_LIBDIR) -+MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) -+DEFS=@DEFS@ -+ -+LOCALINCLUDES = -I../../../include/krb5 -I. -+ -+LIBBASE=wpse -+LIBMAJOR=0 -+LIBMINOR=0 -+SO_EXT=.so -+RELDIR=../plugins/preauth/wpse -+# Depends on libk5crypto and libkrb5 -+SHLIB_EXPDEPS = \ -+ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ -+ $(TOPLIBD)/libkrb5$(SHLIBEXT) -+SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) -+ -+SHLIB_DIRS=-L$(TOPLIBD) -+SHLIB_RDIRS=$(KRB5_LIBDIR) -+STOBJLISTS=OBJS.ST -+STLIBOBJS=wpse_main.o -+ -+SRCS=wpse_main.c -+ -+all-unix:: $(LIBBASE)$(SO_EXT) -+install-unix:: install-libs -+clean-unix:: clean-libs clean-libobjs -+ -+clean:: -+ $(RM) lib$(LIBBASE)$(SO_EXT) -+ -+@libnover_frag@ -+@libobj_frag@ -+ -+# +++ Dependency line eater +++ ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/wpse/wpse_main.c -@@ -0,0 +1,393 @@ -+/* -+ * Copyright (C) 2006 Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Red Hat, Inc., nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* Worst. Preauthentication. Scheme. Ever. */ -+ -+#ident "$Id$" -+ -+#ifdef HAVE_CONFIG_H -+#include "config.h" -+#endif -+ -+#ifdef HAVE_ERRNO_H -+#include -+#endif -+#ifdef HAVE_STRING_H -+#include -+#endif -+ -+#include -+#include -+ -+#include -+#include -+ -+/* This is not a standardized value. It's defined here only to make it easier -+ * to change in this module. */ -+#define KRB5_PADATA_WPSE_REQ 131 -+ -+static int -+client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -+{ -+ return PA_REAL; -+} -+ -+static krb5_error_code -+client_init(krb5_context kcontext, void **ctx) -+{ -+ int *pctx; -+ -+ pctx = malloc(sizeof(int)); -+ if (pctx == NULL) -+ return ENOMEM; -+ *pctx = 0; -+ *ctx = pctx; -+ return 0; -+} -+ -+static void -+client_fini(krb5_context kcontext, void *ctx) -+{ -+ int *pctx; -+ -+ pctx = ctx; -+ if (pctx) { -+#ifdef DEBUG -+ fprintf(stderr, "wpse module called total of %d times\n", *pctx); -+#endif -+ free(pctx); -+ } -+} -+ -+static krb5_error_code -+client_process(krb5_context kcontext, -+ void *plugin_context, -+ void *request_context, -+ preauth_get_client_data_proc client_get_data_proc, -+ struct _krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *pa_data, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **out_pa_data) -+{ -+ krb5_pa_data *send_pa; -+ krb5_int32 nnonce, enctype; -+ krb5_keyblock *kb; -+ krb5_error_code status; -+ int *pctx; -+ -+#ifdef DEBUG -+ fprintf(stderr, "%d bytes of preauthentication data (type %d)\n", -+ pa_data->length, pa_data->pa_type); -+#endif -+ -+ pctx = plugin_context; -+ if (pctx) { -+ (*pctx)++; -+ } -+ -+ if (pa_data->length == 0) { -+ /* Create preauth data. */ -+ send_pa = malloc(sizeof(krb5_pa_data)); -+ if (send_pa == NULL) -+ return ENOMEM; -+ send_pa->pa_type = KRB5_PADATA_WPSE_REQ; -+ send_pa->length = 4; -+ send_pa->contents = malloc(4); -+ if (send_pa->contents == NULL) { -+ free(send_pa); -+ return ENOMEM; -+ } -+ /* Store the preauth data. */ -+ nnonce = htonl(request->nonce); -+ memcpy(send_pa->contents, &nnonce, 4); -+ *out_pa_data = send_pa; -+ } else { -+ /* A reply from the KDC. Conventionally this would be -+ * indicated by a different preauthentication type, but this -+ * mechanism/implementation doesn't do that. */ -+ if (pa_data->length > 4) { -+ memcpy(&enctype, pa_data->contents, 4); -+ kb = NULL; -+ status = krb5_init_keyblock(kcontext, ntohl(enctype), -+ pa_data->length - 4, &kb); -+ if (status != 0) -+ return status; -+ memcpy(kb->contents, pa_data->contents + 4, pa_data->length - 4); -+#ifdef DEBUG -+ fprintf(stderr, "Recovered key type=%d, length=%d.\n", -+ kb->enctype, kb->length); -+#endif -+ status = krb5_copy_keyblock_contents(kcontext, kb, as_key); -+ krb5_free_keyblock(kcontext, kb); -+ return status; -+ } -+ return KRB5KRB_ERR_GENERIC; -+ } -+ return 0; -+} -+ -+#define WPSE_MAGIC 0x77707365 -+typedef struct _wpse_req_ctx -+{ -+ int magic; -+ int value; -+} wpse_req_ctx; -+ -+static void -+client_req_init(krb5_context kcontext, void *plugin_context, void **req_context_p) -+{ -+ wpse_req_ctx *ctx; -+ -+ *req_context_p = NULL; -+ -+ /* Allocate a request context. Useful for verifying that we do in fact -+ * do per-request cleanup. */ -+ ctx = (wpse_req_ctx *) malloc(sizeof(*ctx)); -+ if (ctx == NULL) -+ return; -+ ctx->magic = WPSE_MAGIC; -+ ctx->value = 0xc0dec0de; -+ -+ *req_context_p = ctx; -+} -+ -+static void -+client_req_cleanup(krb5_context kcontext, void *plugin_context, void *req_context) -+{ -+ wpse_req_ctx *ctx = (wpse_req_ctx *)req_context; -+ -+ if (ctx) { -+#ifdef DEBUG -+ fprintf(stderr, "client_req_cleanup: req_ctx at %p has magic %x and value %x\n", -+ ctx, ctx->magic, ctx->value); -+#endif -+ if (ctx->magic != WPSE_MAGIC) { -+#ifdef DEBUG -+ fprintf(stderr, "client_req_cleanup: req_context at %p has bad magic value %x\n", -+ ctx, ctx->magic); -+#endif -+ return; -+ } -+ free(ctx); -+ } -+ return; -+} -+ -+/* Free state. */ -+static krb5_error_code -+server_free_pa_request_context(krb5_context kcontext, void *plugin_context, -+ void **request_context) -+{ -+ if (*request_context != NULL) { -+ free(*request_context); -+ *request_context = NULL; -+ } -+ return 0; -+} -+ -+/* Obtain and return any preauthentication data (which is destined for the -+ * client) which matches type data->pa_type. */ -+static krb5_error_code -+server_get_edata(krb5_context kcontext, -+ krb5_kdc_req *request, -+ struct _krb5_db_entry_new *client, -+ struct _krb5_db_entry_new *server, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ krb5_pa_data *data) -+{ -+ /* Return zero bytes of data. */ -+ data->length = 0; -+ data->contents = NULL; -+ return 0; -+} -+ -+/* Verify a request from a client. */ -+static krb5_error_code -+server_verify(krb5_context kcontext, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_enc_tkt_part *enc_tkt_reply, -+ krb5_pa_data *data, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context, -+ krb5_data **e_data) -+{ -+ krb5_int32 nnonce; -+ krb5_data *test_edata; -+ -+ /* Verify the preauth data. */ -+ if (data->length != 4) -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ memcpy(&nnonce, data->contents, 4); -+ nnonce = ntohl(nnonce); -+ if (memcmp(&nnonce, &request->nonce, 4) != 0) -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ /* Note that preauthentication succeeded. */ -+ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; -+ enc_tkt_reply->flags |= TKT_FLG_HW_AUTH; -+ /* Allocate a context. Useful for verifying that we do in fact do -+ * per-request cleanup. */ -+ if (*pa_request_context == NULL) -+ *pa_request_context = malloc(4); -+ -+ /* Return edata to exercise code that handles edata... */ -+ test_edata = malloc(sizeof(*test_edata)); -+ if (test_edata != NULL) { -+ test_edata->data = malloc(20); -+ if (test_edata->data == NULL) { -+ free(test_edata); -+ } else { -+ test_edata->length = 20; -+ memset(test_edata->data, '#', 20); /* fill it with junk */ -+ *e_data = test_edata; -+ } -+ } -+ return 0; -+} -+ -+/* Create the response for a client. */ -+static krb5_error_code -+server_return(krb5_context kcontext, -+ krb5_pa_data *padata, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_kdc_rep *reply, -+ struct _krb5_key_data *client_key, -+ krb5_keyblock *encrypting_key, -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context) -+{ -+ /* This module does a couple of dumb things. It tags its reply with -+ * the same type as the initial challenge (expecting the client to sort -+ * out whether there's anything useful in there). Oh, and it replaces -+ * the AS reply key with one which is sent in the clear. */ -+ krb5_keyblock *kb; -+ krb5_int32 enctype; -+ int i; -+ -+ *send_pa = NULL; -+ -+ /* We'll want a key with the first supported enctype. */ -+ for (i = 0; i < request->nktypes; i++) { -+ kb = NULL; -+ if (krb5_init_keyblock(kcontext, request->ktype[i], 0, &kb) == 0) { -+ break; -+ } -+ } -+ if (i >= request->nktypes) { -+ /* No matching cipher type found. */ -+ return 0; -+ } -+ -+ /* Randomize a key and save it for the client. */ -+ if (krb5_c_make_random_key(kcontext, request->ktype[i], kb) != 0) { -+ krb5_free_keyblock(kcontext, kb); -+ return 0; -+ } -+#ifdef DEBUG -+ fprintf(stderr, "Generated random key, type=%d, length=%d.\n", -+ kb->enctype, kb->length); -+#endif -+ -+ *send_pa = malloc(sizeof(krb5_pa_data)); -+ if (*send_pa == NULL) { -+ krb5_free_keyblock(kcontext, kb); -+ return ENOMEM; -+ } -+ (*send_pa)->pa_type = KRB5_PADATA_WPSE_REQ; -+ (*send_pa)->length = 4 + kb->length; -+ (*send_pa)->contents = malloc(4 + kb->length); -+ if ((*send_pa)->contents == NULL) { -+ free(*send_pa); -+ *send_pa = NULL; -+ krb5_free_keyblock(kcontext, kb); -+ return ENOMEM; -+ } -+ -+ /* Store the preauth data. */ -+ enctype = htonl(kb->enctype); -+ memcpy((*send_pa)->contents, &enctype, 4); -+ memcpy((*send_pa)->contents + 4, kb->contents, kb->length); -+ krb5_free_keyblock_contents(kcontext, encrypting_key); -+ krb5_copy_keyblock_contents(kcontext, kb, encrypting_key); -+ -+ /* Clean up. */ -+ krb5_free_keyblock(kcontext, kb); -+ -+ return 0; -+} -+ -+static int -+server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -+{ -+ return PA_HARDWARE | PA_REPLACES_KEY; -+} -+ -+static krb5_preauthtype supported_client_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; -+static krb5_preauthtype supported_server_pa_types[] = {KRB5_PADATA_WPSE_REQ, 0}; -+ -+struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0_backport_1_6 = { -+ "wpse", /* name */ -+ &supported_client_pa_types[0], /* pa_type_list */ -+ NULL, /* enctype_list */ -+ client_init, /* plugin init function */ -+ client_fini, /* plugin fini function */ -+ client_get_flags, /* get flags function */ -+ client_req_init, /* request init function */ -+ client_req_cleanup, /* request fini function */ -+ client_process, /* process function */ -+ NULL, /* try_again function */ -+}; -+ -+struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0_backport_1_6 = { -+ "wpse", -+ &supported_server_pa_types[0], -+ NULL, -+ NULL, -+ server_get_flags, -+ server_get_edata, -+ server_verify, -+ server_return, -+ server_free_pa_request_context, -+}; ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/wpse/wpse.exports -@@ -0,0 +1,2 @@ -+preauthentication_client_0_backport_1_6 -+preauthentication_server_0_backport_1_6 ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/cksum_body/cksum_body.exports -@@ -0,0 +1,2 @@ -+preauthentication_client_0_backport_1_6 -+preauthentication_server_0_backport_1_6 ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/cksum_body/configure.in -@@ -0,0 +1,14 @@ -+K5_AC_INIT(configure.in) -+enable_shared=yes -+build_dynobj=yes -+CONFIG_RULES -+ -+AC_CHECK_HEADERS(errno.h string.h) -+ -+KRB5_RUN_FLAGS -+dnl The following is for check... -+KRB5_BUILD_PROGRAM -+KRB5_BUILD_LIBOBJS -+KRB5_BUILD_LIBRARY_WITH_DEPS -+AC_CONFIG_HEADERS(config.h) -+V5_AC_OUTPUT_MAKEFILE ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/cksum_body/Makefile.in -@@ -0,0 +1,42 @@ -+thisconfigdir=. -+myfulldir=plugins/preauth/cksum_body -+mydir=. -+BUILDTOP=$(REL)..$(S)..$(S).. -+KRB5_RUN_ENV = @KRB5_RUN_ENV@ -+KRB5_CONFIG_SETUP = KRB5_CONFIG=$(SRCTOP)/config-files/krb5.conf ; export KRB5_CONFIG ; -+PROG_LIBPATH=-L$(TOPLIBD) -+PROG_RPATH=$(KRB5_LIBDIR) -+MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) -+DEFS=@DEFS@ -+ -+LOCALINCLUDES = -I../../../include/krb5 -I. -+ -+LIBBASE=cksum_body -+LIBMAJOR=0 -+LIBMINOR=0 -+SO_EXT=.so -+RELDIR=../plugins/preauth/cksum_body -+# Depends on libk5crypto and libkrb5 -+SHLIB_EXPDEPS = \ -+ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ -+ $(TOPLIBD)/libkrb5$(SHLIBEXT) -+SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(SUPPORT_LIB) $(LIBS) -+ -+SHLIB_DIRS=-L$(TOPLIBD) -+SHLIB_RDIRS=$(KRB5_LIBDIR) -+STOBJLISTS=OBJS.ST -+STLIBOBJS=cksum_body_main.o -+ -+SRCS= $(srcdir)/cksum_body_main.c -+ -+all-unix:: $(LIBBASE)$(SO_EXT) -+install-unix:: install-libs -+clean-unix:: clean-libs clean-libobjs -+ -+clean:: -+ $(RM) lib$(LIBBASE)$(SO_EXT) -+ -+@libnover_frag@ -+@libobj_frag@ -+ -+# +++ Dependency line eater +++ ---- /dev/null 2007-01-10 09:59:42.964619257 -0500 -+++ krb5/src/plugins/preauth/cksum_body/cksum_body_main.c -@@ -0,0 +1,521 @@ -+/* -+ * Copyright (C) 2006 Red Hat, Inc. -+ * All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * * Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * * Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * * Neither the name of Red Hat, Inc., nor the names of its -+ * contributors may be used to endorse or promote products derived -+ * from this software without specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS -+ * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -+ * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -+ * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -+ * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+ */ -+ -+/* -+ * Checksum the request body with the user's long-term key. -+ * -+ * The e-data from the KDC is a list of network-byte-order 32-bit integers -+ * listing key types which the KDC has for the user. -+ * -+ * The client uses one of these key types to generate a checksum over the body -+ * of the request, and includes the checksum in the AS-REQ as preauthentication -+ * data. -+ * -+ * The AS-REP carries no preauthentication data for this scheme. -+ */ -+ -+#ident "$Id$" -+ -+#ifdef HAVE_CONFIG_H -+#include "config.h" -+#endif -+ -+#ifdef HAVE_ERRNO_H -+#include -+#endif -+#ifdef HAVE_STRING_H -+#include -+#endif -+ -+#include -+#include -+ -+#include -+#include -+ -+/* This is not a standardized value. It's defined here only to make it easier -+ * to change in this module. */ -+#define KRB5_PADATA_CKSUM_BODY_REQ 130 -+ -+struct server_stats{ -+ int successes, failures; -+}; -+ -+static int -+client_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -+{ -+ return PA_REAL; -+} -+ -+static krb5_error_code -+client_process(krb5_context kcontext, -+ void *client_plugin_context, -+ void *client_request_context, -+ preauth_get_client_data_proc client_get_data_proc, -+ struct _krb5_preauth_client_rock *rock, -+ krb5_kdc_req *request, -+ krb5_data *encoded_request_body, -+ krb5_data *encoded_previous_request, -+ krb5_pa_data *pa_data, -+ krb5_prompter_fct prompter, -+ void *prompter_data, -+ preauth_get_as_key_proc gak_fct, -+ void *gak_data, -+ krb5_data *salt, krb5_data *s2kparams, -+ krb5_keyblock *as_key, -+ krb5_pa_data **out_pa_data) -+{ -+ krb5_pa_data *send_pa; -+ krb5_checksum checksum; -+ krb5_enctype enctype; -+ krb5_cksumtype *cksumtypes; -+ krb5_error_code status = 0; -+ krb5_int32 cksumtype, *enctypes; -+ unsigned int i, n_enctypes, cksumtype_count; -+ -+ memset(&checksum, 0, sizeof(checksum)); -+ -+ /* Get the user's long-term key if we haven't asked for it yet. Try -+ * all of the encryption types which the server supports. */ -+ if (as_key->length == 0) { -+ if ((pa_data != NULL) && (pa_data->length >= 4)) { -+#ifdef DEBUG -+ fprintf(stderr, "%d bytes of preauth data.\n", pa_data->length); -+#endif -+ n_enctypes = pa_data->length / 4; -+ enctypes = (krb5_int32*) pa_data->contents; -+ } else { -+ n_enctypes = request->nktypes; -+ } -+ for (i = 0; i < n_enctypes; i++) { -+ if ((pa_data != NULL) && (pa_data->length >= 4)) { -+ memcpy(&enctype, pa_data->contents + 4 * i, 4); -+ enctype = ntohl(enctype); -+ } else { -+ enctype = request->ktype[i]; -+ } -+#ifdef DEBUG -+ fprintf(stderr, "Asking for AS key (type = %d).\n", enctype); -+#endif -+ status = (*gak_fct)(kcontext, request->client, enctype, -+ prompter, prompter_data, -+ salt, s2kparams, as_key, gak_data); -+ if (status == 0) -+ break; -+ } -+ if (status != 0) -+ return status; -+ } -+#ifdef DEBUG -+ fprintf(stderr, "Got AS key (type = %d).\n", as_key->enctype); -+#endif -+ -+ /* Determine an appropriate checksum type for this key. */ -+ cksumtype_count = 0; -+ cksumtypes = NULL; -+ status = krb5_c_keyed_checksum_types(kcontext, as_key->enctype, -+ &cksumtype_count, &cksumtypes); -+ if (status != 0) -+ return status; -+ -+ /* Generate the checksum. */ -+ for (i = 0; i < cksumtype_count; i++) { -+ status = krb5_c_make_checksum(kcontext, cksumtypes[i], as_key, -+ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, -+ encoded_request_body, -+ &checksum); -+ if (status == 0) { -+#ifdef DEBUG -+ fprintf(stderr, "Made checksum (type = %d, %d bytes).\n", -+ checksum.checksum_type, encoded_request_body->length); -+#endif -+ break; -+ } -+ } -+ cksumtype = htonl(cksumtypes[i]); -+ krb5_free_cksumtypes(kcontext, cksumtypes); -+ if (status != 0) { -+ if (checksum.length > 0) -+ krb5_free_checksum_contents(kcontext, &checksum); -+ return status; -+ } -+ -+ /* Allocate the preauth data structure. */ -+ send_pa = malloc(sizeof(krb5_pa_data)); -+ if (send_pa == NULL) { -+ krb5_free_checksum_contents(kcontext, &checksum); -+ return ENOMEM; -+ } -+ send_pa->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; -+ send_pa->length = 4 + checksum.length; -+ send_pa->contents = malloc(4 + checksum.length); -+ if (send_pa->contents == NULL) { -+ krb5_free_checksum_contents(kcontext, &checksum); -+ free(send_pa); -+ return ENOMEM; -+ } -+ -+ /* Store the checksum. */ -+ memcpy(send_pa->contents, &cksumtype, 4); -+ memcpy(send_pa->contents + 4, checksum.contents, checksum.length); -+ *out_pa_data = send_pa; -+ -+ /* Clean up. */ -+ krb5_free_checksum_contents(kcontext, &checksum); -+ -+ return 0; -+} -+ -+/* Initialize and tear down the server-side module, and do stat tracking. */ -+static krb5_error_code -+server_init(krb5_context kcontext, void **module_context) -+{ -+ struct server_stats *stats; -+ stats = malloc(sizeof(struct server_stats)); -+ if (stats == NULL) -+ return ENOMEM; -+ stats->successes = 0; -+ stats->failures = 0; -+ *module_context = stats; -+ return 0; -+} -+static void -+server_fini(krb5_context kcontext, void *module_context) -+{ -+ struct server_stats *stats; -+ stats = module_context; -+ if (stats != NULL) { -+#ifdef DEBUG -+ fprintf(stderr, "Total: %d clients failed, %d succeeded.\n", -+ stats->failures, stats->successes); -+#endif -+ free(stats); -+ } -+} -+ -+/* Obtain and return any preauthentication data (which is destined for the -+ * client) which matches type data->pa_type. */ -+static krb5_error_code -+server_get_edata(krb5_context kcontext, -+ krb5_kdc_req *request, -+ struct _krb5_db_entry_new *client, -+ struct _krb5_db_entry_new *server, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ krb5_pa_data *data) -+{ -+ krb5_data *key_data; -+ krb5_keyblock *keys, *key; -+ krb5_int32 *enctypes, enctype; -+ int i; -+ -+ /* Retrieve the client's keys. */ -+ key_data = NULL; -+ if ((*server_get_entry_data)(kcontext, request, client, -+ krb5plugin_preauth_keys, &key_data) != 0) { -+#ifdef DEBUG -+ fprintf(stderr, "Error retrieving client keys.\n"); -+#endif -+ return KRB5KDC_ERR_PADATA_TYPE_NOSUPP; -+ } -+ -+ /* Count which types of keys we've got, freeing the contents, which we -+ * don't need at this point. */ -+ keys = (krb5_keyblock *) key_data->data; -+ key = NULL; -+ for (i = 0; keys[i].enctype != 0; i++) -+ krb5_free_keyblock_contents(kcontext, &keys[i]); -+ -+ /* Return the list of encryption types. */ -+ enctypes = malloc((unsigned)i * 4); -+ if (enctypes == NULL) { -+ krb5_free_data(kcontext, key_data); -+ return ENOMEM; -+ } -+#ifdef DEBUG -+ fprintf(stderr, "Supported enctypes = {"); -+#endif -+ for (i = 0; keys[i].enctype != 0; i++) { -+#ifdef DEBUG -+ fprintf(stderr, "%s%d", (i > 0) ? ", " : "", keys[i].enctype); -+#endif -+ enctype = htonl(keys[i].enctype); -+ memcpy(&enctypes[i], &enctype, 4); -+ } -+#ifdef DEBUG -+ fprintf(stderr, "}.\n"); -+#endif -+ data->pa_type = KRB5_PADATA_CKSUM_BODY_REQ; -+ data->length = (i * 4); -+ data->contents = (unsigned char *) enctypes; -+ krb5_free_data(kcontext, key_data); -+ return 0; -+} -+ -+/* Verify a request from a client. */ -+static krb5_error_code -+server_verify(krb5_context kcontext, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_enc_tkt_part *enc_tkt_reply, -+ krb5_pa_data *data, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context, -+ krb5_data **e_data) -+{ -+ krb5_int32 cksumtype; -+ krb5_checksum checksum; -+ krb5_boolean valid; -+ krb5_data *key_data, *req_body; -+ krb5_keyblock *keys, *key; -+ size_t length; -+ int i; -+ unsigned int j, cksumtypes_count; -+ krb5_cksumtype *cksumtypes; -+ krb5_error_code status; -+ struct server_stats *stats; -+ krb5_data *test_edata; -+ -+ stats = pa_module_context; -+ -+ /* Verify the preauth data. Start with the checksum type. */ -+ if (data->length < 4) { -+ stats->failures++; -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ } -+ memcpy(&cksumtype, data->contents, 4); -+ memset(&checksum, 0, sizeof(checksum)); -+ checksum.checksum_type = ntohl(cksumtype); -+ -+ /* Verify that the amount of data we have left is what we expect. */ -+ if (krb5_c_checksum_length(kcontext, checksum.checksum_type, -+ &length) != 0) { -+#ifdef DEBUG -+ fprintf(stderr, "Error determining checksum size (type = %d). " -+ "Is it supported?\n", checksum.checksum_type); -+#endif -+ stats->failures++; -+ return KRB5KDC_ERR_SUMTYPE_NOSUPP; -+ } -+ if (data->length - 4 != length) { -+#ifdef DEBUG -+ fprintf(stderr, "Checksum size doesn't match client packet size.\n"); -+#endif -+ stats->failures++; -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ } -+ checksum.length = length; -+ -+ /* Pull up the client's keys. */ -+ key_data = NULL; -+ if ((*server_get_entry_data)(kcontext, request, client, -+ krb5plugin_preauth_keys, &key_data) != 0) { -+#ifdef DEBUG -+ fprintf(stderr, "Error retrieving client keys.\n"); -+#endif -+ stats->failures++; -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ } -+ -+ /* Find the key which would have been used to generate the checksum. */ -+ keys = (krb5_keyblock *) key_data->data; -+ key = NULL; -+ for (i = 0; keys[i].enctype != 0; i++) { -+ key = &keys[i]; -+ cksumtypes_count = 0; -+ cksumtypes = NULL; -+ if (krb5_c_keyed_checksum_types(kcontext, key->enctype, -+ &cksumtypes_count, &cksumtypes) != 0) -+ continue; -+ for (j = 0; j < cksumtypes_count; j++) { -+ if (cksumtypes[j] == checksum.checksum_type) -+ break; -+ } -+ if (cksumtypes != NULL) -+ krb5_free_cksumtypes(kcontext, cksumtypes); -+ if (j < cksumtypes_count) { -+#ifdef DEBUG -+ fprintf(stderr, "Found checksum key.\n"); -+#endif -+ break; -+ } -+ } -+ if ((key == NULL) || (key->enctype == 0)) { -+ for (i = 0; keys[i].enctype != 0; i++) -+ krb5_free_keyblock_contents(kcontext, &keys[i]); -+ krb5_free_data(kcontext, key_data); -+ stats->failures++; -+ return KRB5KDC_ERR_SUMTYPE_NOSUPP; -+ } -+ -+ /* Save a copy of the key. */ -+ if (krb5_copy_keyblock(kcontext, &keys[i], &key) != 0) { -+ for (i = 0; keys[i].enctype != 0; i++) -+ krb5_free_keyblock_contents(kcontext, &keys[i]); -+ krb5_free_data(kcontext, key_data); -+ stats->failures++; -+ return KRB5KDC_ERR_SUMTYPE_NOSUPP; -+ } -+ for (i = 0; keys[i].enctype != 0; i++) -+ krb5_free_keyblock_contents(kcontext, &keys[i]); -+ krb5_free_data(kcontext, key_data); -+ -+ /* Rebuild a copy of the client's request-body. If we were serious -+ * about doing this with any chance of working interoperability, we'd -+ * extract the structure directly from the req_pkt structure. This -+ * will probably work if it's us on both ends, though. */ -+ req_body = NULL; -+ if ((*server_get_entry_data)(kcontext, request, client, -+ krb5plugin_preauth_request_body, -+ &req_body) != 0) { -+ krb5_free_keyblock(kcontext, key); -+ stats->failures++; -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ } -+ -+#ifdef DEBUG -+ fprintf(stderr, "AS key type %d, checksum type %d, %d bytes.\n", -+ key->enctype, checksum.checksum_type, req_body->length); -+#endif -+ -+ /* Verify the checksum itself. */ -+ checksum.contents = data->contents + 4; -+ valid = FALSE; -+ status = krb5_c_verify_checksum(kcontext, key, -+ KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM, -+ req_body, &checksum, &valid); -+ -+ /* Clean up. */ -+ krb5_free_data(kcontext, req_body); -+ krb5_free_keyblock(kcontext, key); -+ -+ /* Evaluate our results. */ -+ if ((status != 0) || (!valid)) { -+#ifdef DEBUG -+ if (status != 0) { -+ fprintf(stderr, "Error in checksum verification.\n"); -+ } else { -+ fprintf(stderr, "Checksum mismatch.\n"); -+ } -+#endif -+ /* Return edata to exercise code that handles edata... */ -+ test_edata = malloc(sizeof(*test_edata)); -+ if (test_edata != NULL) { -+ test_edata->data = malloc(20); -+ if (test_edata->data == NULL) { -+ free(test_edata); -+ } else { -+ test_edata->length = 20; -+ memset(test_edata->data, 'F', 20); /* fill it with junk */ -+ *e_data = test_edata; -+ } -+ } -+ stats->failures++; -+ return KRB5KDC_ERR_PREAUTH_FAILED; -+ } -+ -+ /* Return edata to exercise code that handles edata... */ -+ test_edata = malloc(sizeof(*test_edata)); -+ if (test_edata != NULL) { -+ test_edata->data = malloc(20); -+ if (test_edata->data == NULL) { -+ free(test_edata); -+ } else { -+ test_edata->length = 20; -+ memset(test_edata->data, 'S', 20); /* fill it with junk */ -+ *e_data = test_edata; -+ } -+ } -+ -+ /* Note that preauthentication succeeded. */ -+ enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; -+ stats->successes++; -+ return 0; -+} -+ -+/* Create the response for a client. */ -+static krb5_error_code -+server_return(krb5_context kcontext, -+ krb5_pa_data *padata, -+ struct _krb5_db_entry_new *client, -+ krb5_data *req_pkt, -+ krb5_kdc_req *request, -+ krb5_kdc_rep *reply, -+ struct _krb5_key_data *client_key, -+ krb5_keyblock *encrypting_key, -+ krb5_pa_data **send_pa, -+ preauth_get_entry_data_proc server_get_entry_data, -+ void *pa_module_context, -+ void **pa_request_context) -+{ -+ /* We don't need to send data back on the return trip. */ -+ *send_pa = NULL; -+ return 0; -+} -+ -+static int -+server_get_flags(krb5_context kcontext, krb5_preauthtype pa_type) -+{ -+ return PA_SUFFICIENT; -+} -+ -+static krb5_preauthtype supported_client_pa_types[] = { -+ KRB5_PADATA_CKSUM_BODY_REQ, 0, -+}; -+static krb5_preauthtype supported_server_pa_types[] = { -+ KRB5_PADATA_CKSUM_BODY_REQ, 0, -+}; -+ -+struct krb5plugin_preauth_client_ftable_v0 preauthentication_client_0_backport_1_6 = { -+ "cksum_body", /* name */ -+ &supported_client_pa_types[0], /* pa_type_list */ -+ NULL, /* enctype_list */ -+ NULL, /* plugin init function */ -+ NULL, /* plugin fini function */ -+ client_get_flags, /* get flags function */ -+ NULL, /* request init function */ -+ NULL, /* request fini function */ -+ client_process, /* process function */ -+ NULL, /* try_again function */ -+}; -+ -+struct krb5plugin_preauth_server_ftable_v0 preauthentication_server_0_backport_1_6 = { -+ "cksum_body", -+ &supported_server_pa_types[0], -+ server_init, -+ server_fini, -+ server_get_flags, -+ server_get_edata, -+ server_verify, -+ server_return, -+ NULL -+}; ---- krb5/src/configure.in -+++ krb5/src/configure.in -@@ -900,7 +900,7 @@ fi - if test -n "$KRB4_LIB"; then - K5_GEN_MAKEFILE(lib/krb4) - fi --AC_CONFIG_SUBDIRS(lib/apputils plugins/kdb/db2 appl tests) -+AC_CONFIG_SUBDIRS(lib/apputils plugins/kdb/db2 plugins/preauth/wpse plugins/preauth/cksum_body appl tests) - dnl - if false; then - AC_CHECK_HEADERS(Python.h python2.3/Python.h) ---- krb5/src/Makefile.in -+++ krb5/src/Makefile.in -@@ -3,8 +3,8 @@ datadir=@datadir@ - thisconfigdir=. - myfulldir=. - mydir=. --# Don't build sample by default: plugins/locate/python --SUBDIRS=util include lib @krb524@ kdc kadmin slave clients \ -+# Don't build sample by default: plugins/locate/python plugins/preauth/wpse plugins/preauth/cksum_body -+SUBDIRS=util include lib @krb524@ kdc kadmin slave clients \ - plugins/kdb/db2 \ - appl tests \ - config-files gen-manpages ---- krb5/src/config-files/krb5.conf.M -+++ krb5/src/config-files/krb5.conf.M -@@ -156,6 +156,12 @@ libraries, use a value of 3 to use the C - instead. This field is ignored when its value is incompatible with - the session key type. - -+.IP preferred_preauth_types -+This allows you to set the preferred preauthentication types which the -+client will attempt before others which may be advertised by a KDC. The -+default value for this setting is "17, 16, 15, 14", which forces libkrb5 -+to attempt to use PKINIT if it is supported. -+ - .IP ccache_type - User this parameter on systems which are DCE clients, to specify the - type of cache to be created by kinit, or when forwarded tickets are -@@ -169,7 +175,7 @@ Specifies the location of the Kerberos V - "/etc/srvtab". - - .IP krb4_config --Specifies the location of hte Kerberos V4 configuration file. Default -+Specifies the location of the Kerberos V4 configuration file. Default - is "/etc/krb.conf". - - .IP krb4_realms diff --git a/krb5-1.6-buildconf.patch b/krb5-1.6-buildconf.patch deleted file mode 100644 index d95f6aa..0000000 --- a/krb5-1.6-buildconf.patch +++ /dev/null @@ -1,50 +0,0 @@ -Don't let an RPATH into any of the binaries we build here. While we're -tinkering with linker flags, prune out the -L/usr/lib* and PIE flags where -they might leak out and affect apps which use the libraries. - ---- krb5-1.5/src/aclocal.m4 2006-05-24 06:29:25.000000000 -0400 -+++ krb5-1.5/src/aclocal.m4 2006-07-05 14:31:04.000000000 -0400 -@@ -1184,6 +1184,7 @@ - [AC_REQUIRE([KRB5_LIB_AUX])dnl - AC_REQUIRE([KRB5_AC_NEED_LIBGEN])dnl - AC_SUBST(CC_LINK) -+RPATH_FLAG= - AC_SUBST(RPATH_FLAG) - AC_SUBST(DEPLIBEXT)]) - ---- krb5-1.5/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400 -+++ krb5-1.5/src/krb5-config.in 2006-07-05 14:31:04.000000000 -0400 -@@ -186,6 +186,11 @@ - -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ - -e 's#\$(CFLAGS)#'"$CFLAGS"'#'` - -+ if test `dirname $libdir` = /usr ; then -+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` -+ fi -+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##" -e "s#-pie##"` -+ - if test $library = 'kdb'; then - lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" - library=krb5 ---- krb5-1.5/src/config/shlib.conf 2006-06-16 01:53:34.000000000 -0400 -+++ krb5-1.5/src/config/shlib.conf 2006-07-05 14:31:04.000000000 -0400 -@@ -371,14 +371,15 @@ - # Use objdump -x to examine the fields of the library - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(LDFLAGS)' - # -- LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(SRCTOP)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' -+ LDCOMBINE_TAIL='-Wl,--version-script binutils.versions -Wl,-E && $(PERL) -w $(SRCTOP)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' - SHLIB_EXPORT_FILE_DEP=binutils.versions - # For cases where we do have dependencies on other libraries - # built in this tree... -- SHLIB_EXPFLAGS='-Wl,-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' -+ SHLIB_EXPFLAGS='$(SHLIB_DIRS) $(SHLIB_EXPLIBS)' - PROFFLAGS=-pg -- RPATH_FLAG='-Wl,-rpath -Wl,' -- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(RPATH_FLAG)$(PROG_RPATH) $(CFLAGS) $(LDFLAGS)' -+ RPATH_FLAG='-L' -+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(CFLAGS) -pie $(LDFLAGS)' -+ INSTALL_SHLIB='${INSTALL} -m755' - CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' - RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH; ' - diff --git a/krb5-1.6-ldap-init.patch b/krb5-1.6-ldap-init.patch deleted file mode 100644 index d627752..0000000 --- a/krb5-1.6-ldap-init.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: src/lib/krb5/asn.1/ldap_key_seq.c -=================================================================== ---- src/lib/krb5/asn.1/ldap_key_seq.c (revision 19509) -+++ src/lib/krb5/asn.1/ldap_key_seq.c (working copy) -@@ -341,7 +341,8 @@ - if (asn1buf_remains(&slt, 0) != 0) { /* Salt value is optional */ - ret = decode_tagged_octetstring (&slt, 1, &keylen, - &key->key_data_contents[1]); checkerr; -- } -+ } else -+ keylen = 0; - safe_syncbuf (&subbuf, &slt); - key->key_data_length[1] = keylen; /* XXX range check?? */ - diff --git a/krb5-1.6-ldap-man.patch b/krb5-1.6-ldap-man.patch deleted file mode 100644 index 4f10ae9..0000000 --- a/krb5-1.6-ldap-man.patch +++ /dev/null @@ -1,22 +0,0 @@ -Index: src/config-files/krb5.conf.M -=================================================================== ---- src/config-files/krb5.conf.M (revision 19507) -+++ src/config-files/krb5.conf.M (working copy) -@@ -600,7 +600,7 @@ - objects used for starting the Kerberos servers. This value is used if no - service password file is mentioned in the configuration section under dbmodules. - --.IP ldap_server -+.IP ldap_servers - This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers - is whitespace-separated. The LDAP server is specified by a LDAP URI. - This value is used if no LDAP servers are mentioned in the configuration -@@ -641,7 +641,7 @@ - This LDAP specific tag indicates the file containing the stashed passwords for the - objects used for starting the Kerberos servers. - --.IP ldap_server -+.IP ldap_servers - This LDAP specific tag indicates the list of LDAP servers. The list of LDAP servers - is whitespace-separated. The LDAP server is specified by a LDAP URI. - diff --git a/krb5-1.6-nodeplibs.patch b/krb5-1.6-nodeplibs.patch deleted file mode 100644 index eeb7642..0000000 --- a/krb5-1.6-nodeplibs.patch +++ /dev/null @@ -1,15 +0,0 @@ -Omit extra libraries because their interfaces aren't exposed to applications -by libkrb5. Discussion on krbdev suggests that this will be controlled one -way or another by the --deps flag in future upstream releases. - ---- krb5-1.6/src/krb5-config.in.extralibs 2007-05-15 15:00:15.000000000 -0500 -+++ krb5-1.6/src/krb5-config.in 2007-05-15 15:07:04.000000000 -0500 -@@ -222,7 +222,7 @@ - fi - - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err" - fi - - echo $lib_flags diff --git a/krb5-1.6-sort-of-static.patch b/krb5-1.6-sort-of-static.patch deleted file mode 100644 index 70121e4..0000000 --- a/krb5-1.6-sort-of-static.patch +++ /dev/null @@ -1,92 +0,0 @@ -Allow static libraries to be built. Force plugins to only be built as -shared objects. This doesn't *really* fix static linking, but it should -parallel glibc and its nsswitch modules -- applications can pull in -static copies of this library, but they'll still try to use any -available plugins. The current set of plugin interfaces include KDC -location (used by clients), preauthentication plugins (used by clients -and KDCs), and KDB plugins (used by KDCs). - -N.B. This is only a stop-gap for systems which used to include krb5 1.5 -(which we packaged with static libraries enabled) and are now being -upgraded to 1.6, and I expect to stop bothering for future releases. - ---- krb5-1.6/src/plugins/kdb/db2/configure.in 2005-10-27 05:38:05.000000000 -0400 -+++ krb5-1.6/src/plugins/kdb/db2/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,5 +1,6 @@ - K5_AC_INIT(configure.in) - enable_shared=yes -+enable_static=no - build_dynobj=yes - CONFIG_RULES - AC_CHECK_HEADERS(unistd.h) ---- krb5-1.6/src/plugins/kdb/db2/libdb2/configure.in 2006-04-24 20:29:56.000000000 -0400 -+++ krb5-1.6/src/plugins/kdb/db2/libdb2/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,5 +1,7 @@ - K5_AC_INIT(db/db.c) - AC_CONFIG_HEADER(include/config.h include/db-config.h) -+enable_shared=yes -+enable_static=no - build_dynobj=yes - CONFIG_RULES - ---- krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/configure.in 2006-08-31 17:17:34.000000000 -0400 -+++ krb5-1.6/src/plugins/kdb/ldap/libkdb_ldap/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,4 +1,7 @@ - K5_AC_INIT(configure.in) -+enable_shared=yes -+enable_static=no -+build_dynobj=yes - CONFIG_RULES - AC_CHECK_HEADERS(unistd.h) - AC_TYPE_MODE_T ---- krb5-1.6/src/plugins/locate/python/configure.in 2006-01-10 19:36:36.000000000 -0500 -+++ krb5-1.6/src/plugins/locate/python/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,5 +1,6 @@ - K5_AC_INIT(configure.in) - enable_shared=yes -+enable_static=no - build_dynobj=yes - CONFIG_RULES - AC_CHECK_HEADERS(Python.h python2.3/Python.h) ---- krb5-1.6/src/plugins/preauth/wpse/configure.in 2006-10-03 15:07:17.000000000 -0400 -+++ krb5-1.6/src/plugins/preauth/wpse/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,5 +1,6 @@ - K5_AC_INIT(configure.in) - enable_shared=yes -+enable_static=no - build_dynobj=yes - CONFIG_RULES - ---- krb5-1.6/src/plugins/preauth/cksum_body/configure.in 2006-10-03 15:07:17.000000000 -0400 -+++ krb5-1.6/src/plugins/preauth/cksum_body/configure.in 2007-02-28 14:51:14.000000000 -0500 -@@ -1,5 +1,6 @@ - K5_AC_INIT(configure.in) - enable_shared=yes -+enable_static=no - build_dynobj=yes - CONFIG_RULES - ---- krb5-1.6/src/aclocal.m4 2006-10-02 18:50:10.000000000 -0400 -+++ krb5-1.6/src/aclocal.m4 2007-02-28 14:51:14.000000000 -0500 -@@ -1226,10 +1226,6 @@ - AC_ARG_ENABLE([static],, , - [enable_static=$default_static]) - --if test "$enable_static" = yes; then -- AC_MSG_ERROR([Sorry, static libraries do not work in this release.]) --fi -- - if test "$enable_static" = no && test "$krb5_force_static" != yes; then - AC_MSG_NOTICE([disabling static libraries]) - LIBLINKS= -@@ -1254,10 +1250,6 @@ - , , - [enable_shared=$default_shared]) - --if test "$enable_shared" != yes; then -- AC_MSG_ERROR([Sorry, this release builds only shared libraries, cannot disable them.]) --fi -- - if test "$enable_shared" = yes; then - case "$SHLIBEXT" in - .so-nobuild) diff --git a/krb5-1.6.1-pam.patch b/krb5-1.6.1-pam.patch deleted file mode 100644 index 88bbb48..0000000 --- a/krb5-1.6.1-pam.patch +++ /dev/null @@ -1,1241 +0,0 @@ -Modify krshd so that it performs PAM account and session management. It -must now always fork so that it can always clean up the session. The -PAM session is opened and credentials initialized after any forwarded -credentials are stored to disk and before access to the user's home -directory is attempted. The default service name is "kshell" or -"ekshell", depending on whether or not encryption is in use, to avoid a -dependency or conflict on the plain rsh server's configuration file. At -run-time, krshd's behavior can be reset to the earlier, non-PAM behavior -by setting "use_pam" to false in the [rshd] section of /etc/krb5.conf. - -Modify ftpd so that authentication with a plaintext password goes -through PAM, and it performs PAM account and session management. The -PAM session is opened and credentials initialized after any forwarded -credentials are stored to disk. The default service name is "gssftp", -mainly to avoid conflicts with other FTP servers' configuration files. -At run-time, krshd's behavior can be reset to the earlier, non-PAM -behavior by setting "use_pam" to false in the [ftpd] section of -/etc/krb5.conf. - -Modify login so that instead of directly obtaining v5 or v4 credentials -or running aklog, it calls PAM for authentication if strong -authentication hasn't already been performed, so that it performs -account management using PAM (prompting for a password change if need -be), and that it performs session management. The PAM session is opened -and credentials initialized after any forwarded credentials are stored -to disk. The default service name is "login", because its configuration -is pretty much always going to be there. At run-time, login's behavior -can be reset to the earlier, non-PAM behavior by setting "use_pam" to -false in the [login] section of /etc/krb5.conf. - -Modify ksu so that it performs account and session management for the -target user account, mimicking the action of regular su. The default -service name is "ksu", because on Fedora at least the configuration used -is determined by whether or not a login shell is being opened, and so -this may need to vary, too. At run-time, ksu's behavior can be reset to -the earlier, non-PAM behavior by setting "use_pam" to false in the [ksu] -section of /etc/krb5.conf. - -When enabled, ftpd, krshd, login.krb5, and ksu gain dependence on libpam. - ---- krb5-1.6.1/src/appl/bsd/configure.in 2006-03-27 23:35:02.000000000 -0500 -+++ krb5-1.6.1/src/appl/bsd/configure.in 2007-06-21 17:39:57.000000000 -0400 -@@ -24,6 +24,7 @@ AC_CHECK_LIB(odm,main, - AC_CHECK_LIB(cfg,main, - LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" - ))) -+KRB5_WITH_PAM - dnl - dnl Make our operating system-specific security checks and definitions for - dnl login. ---- krb5-1.6.1/src/appl/bsd/krshd.c 2006-10-15 03:50:16.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/krshd.c 2007-06-22 14:28:57.000000000 -0400 -@@ -185,6 +185,10 @@ Key_schedule v4_schedule; - #include - #endif - -+#ifdef USE_PAM -+#include "pam.h" -+#endif -+ - #ifndef MAXDNAME - #define MAXDNAME 256 /*per the rfc*/ - #endif -@@ -205,6 +209,7 @@ void fatal(int, const char *); - - int require_encrypt = 0; - int do_encrypt = 0; -+int force_fork = 0; - int anyport = 0; - char *kprogdir = KPROGDIR; - int netf; -@@ -1085,14 +1090,6 @@ void doit(f, fromp) - } - #endif /*CRAY*/ - -- if (chdir(pwd->pw_dir) < 0) { -- if(chdir("/") < 0) { -- error("No remote directory.\n"); -- goto signout_please; -- } -- pwd->pw_dir = "/"; -- } -- - #ifdef KERBEROS - - #if defined(KRB5_KRB4_COMPAT) && !defined(ALWAYS_V5_KUSEROK) -@@ -1151,11 +1148,51 @@ void doit(f, fromp) - goto signout_please; - } - -+#ifdef USE_PAM -+ if (appl_pam_enabled(bsd_context, "rshd")) { -+ if (appl_pam_acct_mgmt(do_encrypt ? -+ EKSHELL_PAM_SERVICE : -+ KSHELL_PAM_SERVICE, -+ 0, -+ locuser, -+ "", -+ hostname, -+ NULL, -+ do_encrypt ? -+ EKSHELL_PAM_SERVICE : -+ KSHELL_PAM_SERVICE) != 0) { -+ error("Login denied.\n"); -+ goto signout_please; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ error("Password change required, but not possible over rsh.\n"); -+ goto signout_please; -+ } -+ force_fork = 1; -+ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); -+ if (appl_pam_session_open() != 0) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ if (appl_pam_cred_init()) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ } else -+#endif - if (pwd->pw_uid && !access(NOLOGIN, F_OK)) { - error("Logins currently disabled.\n"); - goto signout_please; - } - -+ if (chdir(pwd->pw_dir) < 0) { -+ if (chdir("/") < 0) { -+ error("No remote directory.\n"); -+ goto signout_please; -+ } -+ pwd->pw_dir = "/"; -+ } -+ - /* Log access to account */ - pwd = (struct passwd *) getpwnam(locuser); - if (pwd && (pwd->pw_uid == 0)) { -@@ -1195,7 +1231,7 @@ void doit(f, fromp) - - (void) write(2, "", 1); - -- if (port||do_encrypt) { -+ if (port||do_encrypt||force_fork) { - if (port&&(pipe(pv) < 0)) { - error("Can't make pipe.\n"); - goto signout_please; -@@ -1507,6 +1543,15 @@ void doit(f, fromp) - - environ = envinit; - -+#ifdef USE_PAM -+ if (appl_pam_enabled(bsd_context, "rshd")) { -+ if (appl_pam_setenv() != 0) { -+ error("Login failure.\n"); -+ goto signout_please; -+ } -+ } -+#endif -+ - #ifdef KERBEROS - /* To make Kerberos rcp work correctly, we must ensure that we - invoke Kerberos rcp on this end, not normal rcp, even if the ---- krb5-1.6.1/src/appl/bsd/Makefile.in 2006-10-06 17:17:56.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/Makefile.in 2007-06-21 17:39:57.000000000 -0400 -@@ -14,13 +14,14 @@ LIBOBJS=@LIBOBJS@ - V4RCP=@V4RCP@ - V4RCPO=@V4RCPO@ - KRSHDLIBS=@KRSHDLIBS@ -+PAMOBJS=pam.o - - SRCS= $(srcdir)/krcp.c $(srcdir)/krlogin.c $(srcdir)/krsh.c $(srcdir)/kcmd.c \ - $(srcdir)/forward.c $(srcdir)/compat_recv.c \ - $(srcdir)/login.c $(srcdir)/krshd.c $(srcdir)/krlogind.c \ - $(srcdir)/v4rcp.c - OBJS= krcp.o krlogin.o krsh.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) \ -- login.o krshd.o krlogind.o $(V4RCPO) $(LIBOBJS) -+ login.o krshd.o krlogind.o $(V4RCPO) $(LIBOBJS) $(PAMOBJS) - - UCB_RLOGIN = @UCB_RLOGIN@ - UCB_RSH = @UCB_RSH@ -@@ -66,8 +67,8 @@ install:: - ${DESTDIR}$(CLIENT_MANDIR)/`echo $$f|sed '$(transform)'`.1; \ - fi - --kshd: krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB) -- $(CC_LINK) -o kshd krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB) -+kshd: krshd.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB) -+ $(CC_LINK) -o kshd krshd.o kcmd.o forward.o compat_recv.o $(PAMOBJS) $(SETENVOBJ) $(LIBOBJS) $(KRSHDLIBS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(PAM_LIBS) $(APPUTILS_LIB) - - klogind: krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o klogind krlogind.o kcmd.o forward.o compat_recv.o $(SETENVOBJ) $(LIBOBJS) $(PTY_LIB) $(UTIL_LIB) $(KRB4COMPAT_LIBS) $(APPUTILS_LIB) -@@ -84,8 +85,8 @@ install:: - # No program name transformation is done with login.krb5 since it is directly - # referenced by klogind. - # --login.krb5: login.o $(SETENVOBJ) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) -- $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB4COMPAT_LIBS) -+login.krb5: login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(PTY_DEPLIB) $(KRB4COMPAT_DEPLIBS) -+ $(CC_LINK) -o login.krb5 login.o $(SETENVOBJ) $(PAMOBJS) $(LIBOBJS) $(LOGINLIBS) $(PTY_LIB) $(KRB4COMPAT_LIBS) $(PAM_LIBS) - - install:: - $(INSTALL_PROGRAM) login.krb5 $(DESTDIR)$(SERVER_BINDIR)/login.krb5 ---- krb5-1.6.1/src/appl/bsd/login.c 2006-08-08 15:26:40.000000000 -0400 -+++ krb5-1.6.1/src/appl/bsd/login.c 2007-06-22 14:09:41.000000000 -0400 -@@ -159,6 +159,11 @@ typedef sigtype (*handler)(); - #include "osconf.h" - #endif /* KRB5_GET_TICKETS */ - -+#ifdef USE_PAM -+#include "pam.h" -+int login_use_pam = 1; -+#endif -+ - #ifdef KRB4_KLOGIN - /* support for running under v4 klogind, -k -K flags */ - #define KRB4 -@@ -351,6 +356,9 @@ static struct login_confs { - char *flagname; - int *flag; - } login_conf_set[] = { -+#ifdef USE_PAM -+ {USE_PAM_CONFIGURATION_KEYWORD, &login_use_pam}, -+#endif - #ifdef KRB5_GET_TICKETS - {"krb5_get_tickets", &login_krb5_get_tickets}, - #endif -@@ -1292,6 +1300,20 @@ int main(argc, argv) - if (!unix_needs_passwd()) - break; - -+#ifdef USE_PAM -+ if (login_use_pam) { -+ if (appl_pam_authenticate(LOGIN_PAM_SERVICE, 1, username, "", -+ hostname, -+ NULL, -+ ttyname(STDIN_FILENO)) == PAM_SUCCESS) { -+ break; -+ } else { -+ /* the goto target label is in a different nesting scope, but -+ * it's roughly where we want to land */ -+ goto bad_login; -+ } -+ } -+#endif - /* we have several sets of code: - 1) get v5 tickets alone -DKRB5_GET_TICKETS - 2) get v4 tickets alone [** don't! only get them *with* v5 **] -@@ -1406,6 +1427,24 @@ int main(argc, argv) - /* committed to login -- turn off timeout */ - (void) alarm((u_int) 0); - -+#ifdef USE_PAM -+ if (login_use_pam) { -+ if (appl_pam_acct_mgmt(LOGIN_PAM_SERVICE, 1, username, "", -+ hostname, NULL, ttyname(STDIN_FILENO)) != 0) { -+ printf("Login incorrect\n"); -+ sleepexit(1); -+ } -+ if (appl_pam_requires_chauthtok()) { -+ if (appl_pam_chauthtok() != 0) { -+ printf("Failed to change password.\n"); -+ sleepexit(1); -+ } -+ } -+ } else { -+ /* the "else" here is the non-PAM behavior which continues until the -+ * next ifdef USE_PAM block, as of this writing more or less -+ * duplicating the work of pam_securetty and an OQUOTA check */ -+#endif - /* - * If valid so far and root is logging in, see if root logins on - * this terminal are permitted. -@@ -1446,6 +1487,21 @@ int main(argc, argv) - sleepexit(0); - } - #endif -+#ifdef USE_PAM -+ } -+#endif /* USE_PAM */ -+ -+#ifdef USE_PAM -+ if (login_use_pam) { -+ appl_pam_set_forwarded_ccname(getenv("KRB5CCNAME")); -+ if (appl_pam_session_open() != 0) { -+ sleepexit(1); -+ } -+ if (appl_pam_cred_init() != 0) { -+ sleepexit(1); -+ } -+ } -+#endif /* USE_PAM */ - - if (chdir(pwd->pw_dir) < 0) { - printf("No directory %s!\n", pwd->pw_dir); -@@ -1792,6 +1846,11 @@ int main(argc, argv) - } - #endif /* KRB5_GET_TICKETS */ - -+#ifdef USE_PAM -+ if (login_use_pam) -+ appl_pam_setenv(); -+#endif -+ - if (tty[sizeof("tty")-1] == 'd') - syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name); - if (pwd->pw_uid == 0) ---- /dev/null 2007-06-22 10:29:46.741860805 -0400 -+++ krb5-1.6.1/src/appl/bsd/pam.c 2007-06-22 14:22:10.000000000 -0400 -@@ -0,0 +1,433 @@ -+/* -+ * src/appl/bsd/pam.c -+ * -+ * Copyright 2007,2009 Red Hat, Inc. -+ * -+ * All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * Convenience wrappers for using PAM. -+ */ -+ -+#include "autoconf.h" -+#ifdef USE_PAM -+#include -+#include -+#include -+#include -+#include -+#include "k5-int.h" -+#include "pam.h" -+ -+#ifndef MAXPWSIZE -+#define MAXPWSIZE 128 -+#endif -+ -+static int appl_pam_started; -+static pid_t appl_pam_starter = -1; -+static int appl_pam_session_opened; -+static int appl_pam_creds_initialized; -+static int appl_pam_pwchange_required; -+static pam_handle_t *appl_pamh; -+static struct pam_conv appl_pam_conv; -+static char *appl_pam_user; -+struct appl_pam_non_interactive_args { -+ const char *user; -+ const char *password; -+}; -+ -+int -+appl_pam_enabled(krb5_context context, const char *section) -+{ -+ int enabled = 1; -+ if ((context != NULL) && (context->profile != NULL)) { -+ if (profile_get_boolean(context->profile, -+ section, -+ USE_PAM_CONFIGURATION_KEYWORD, -+ NULL, -+ enabled, &enabled) != 0) { -+ enabled = 1; -+ } -+ } -+ return enabled; -+} -+ -+void -+appl_pam_cleanup(void) -+{ -+ if (getpid() != appl_pam_starter) { -+ return; -+ } -+#ifdef DEBUG -+ printf("Called to clean up PAM.\n"); -+#endif -+ if (appl_pam_creds_initialized) { -+#ifdef DEBUG -+ printf("Deleting PAM credentials.\n"); -+#endif -+ pam_setcred(appl_pamh, PAM_DELETE_CRED); -+ appl_pam_creds_initialized = 0; -+ } -+ if (appl_pam_session_opened) { -+#ifdef DEBUG -+ printf("Closing PAM session.\n"); -+#endif -+ pam_close_session(appl_pamh, 0); -+ appl_pam_session_opened = 0; -+ } -+ appl_pam_pwchange_required = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Shutting down PAM.\n"); -+#endif -+ pam_end(appl_pamh, 0); -+ appl_pam_started = 0; -+ appl_pam_starter = -1; -+ free(appl_pam_user); -+ appl_pam_user = NULL; -+ } -+} -+static int -+appl_pam_interactive_converse(int num_msg, const struct pam_message **msg, -+ struct pam_response **presp, void *appdata_ptr) -+{ -+ const struct pam_message *message; -+ struct pam_response *resp; -+ int i, code; -+ char *pwstring, pwbuf[MAXPWSIZE]; -+ unsigned int pwsize; -+ resp = malloc(sizeof(struct pam_response) * num_msg); -+ if (resp == NULL) { -+ return PAM_BUF_ERR; -+ } -+ memset(resp, 0, sizeof(struct pam_response) * num_msg); -+ code = PAM_SUCCESS; -+ for (i = 0; i < num_msg; i++) { -+ message = &(msg[0][i]); /* XXX */ -+ message = msg[i]; /* XXX */ -+ pwstring = NULL; -+ switch (message->msg_style) { -+ case PAM_TEXT_INFO: -+ case PAM_ERROR_MSG: -+ printf("[%s]\n", message->msg ? message->msg : ""); -+ fflush(stdout); -+ resp[i].resp = NULL; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ break; -+ case PAM_PROMPT_ECHO_ON: -+ case PAM_PROMPT_ECHO_OFF: -+ if (message->msg_style == PAM_PROMPT_ECHO_ON) { -+ if (fgets(pwbuf, sizeof(pwbuf), -+ stdin) != NULL) { -+ pwbuf[strcspn(pwbuf, "\r\n")] = '\0'; -+ pwstring = pwbuf; -+ } -+ } else { -+ pwstring = getpass(message->msg ? -+ message->msg : -+ ""); -+ } -+ if ((pwstring != NULL) && (pwstring[0] != '\0')) { -+ pwsize = strlen(pwstring); -+ resp[i].resp = malloc(pwsize + 1); -+ if (resp[i].resp == NULL) { -+ resp[i].resp_retcode = PAM_BUF_ERR; -+ } else { -+ memcpy(resp[i].resp, pwstring, pwsize); -+ resp[i].resp[pwsize] = '\0'; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ } -+ } else { -+ resp[i].resp_retcode = PAM_CONV_ERR; -+ code = PAM_CONV_ERR; -+ } -+ break; -+ default: -+ break; -+ } -+ } -+ *presp = resp; -+ return code; -+} -+static int -+appl_pam_non_interactive_converse(int num_msg, -+ const struct pam_message **msg, -+ struct pam_response **presp, -+ void *appdata_ptr) -+{ -+ const struct pam_message *message; -+ struct pam_response *resp; -+ int i, code; -+ unsigned int pwsize; -+ struct appl_pam_non_interactive_args *args; -+ const char *pwstring; -+ resp = malloc(sizeof(struct pam_response) * num_msg); -+ if (resp == NULL) { -+ return PAM_BUF_ERR; -+ } -+ args = appdata_ptr; -+ memset(resp, 0, sizeof(struct pam_response) * num_msg); -+ code = PAM_SUCCESS; -+ for (i = 0; i < num_msg; i++) { -+ message = &((*msg)[i]); -+ message = msg[i]; -+ pwstring = NULL; -+ switch (message->msg_style) { -+ case PAM_TEXT_INFO: -+ case PAM_ERROR_MSG: -+ break; -+ case PAM_PROMPT_ECHO_ON: -+ case PAM_PROMPT_ECHO_OFF: -+ if (message->msg_style == PAM_PROMPT_ECHO_ON) { -+ /* assume "user" */ -+ pwstring = args->user; -+ } else { -+ /* assume "password" */ -+ pwstring = args->password; -+ } -+ if ((pwstring != NULL) && (pwstring[0] != '\0')) { -+ pwsize = strlen(pwstring); -+ resp[i].resp = malloc(pwsize + 1); -+ if (resp[i].resp == NULL) { -+ resp[i].resp_retcode = PAM_BUF_ERR; -+ } else { -+ memcpy(resp[i].resp, pwstring, pwsize); -+ resp[i].resp[pwsize] = '\0'; -+ resp[i].resp_retcode = PAM_SUCCESS; -+ } -+ } else { -+ resp[i].resp_retcode = PAM_CONV_ERR; -+ code = PAM_CONV_ERR; -+ } -+ break; -+ default: -+ break; -+ } -+ } -+ *presp = resp; -+ return code; -+} -+void -+appl_pam_set_forwarded_ccname(const char *ccname) -+{ -+ char *ccname2; -+ if (appl_pam_started && (ccname != NULL) && (strlen(ccname) > 0)) { -+ ccname2 = malloc(strlen(KRB5_ENV_CCNAME) + strlen(ccname) + 2); -+ if (ccname2 != NULL) { -+#ifdef DEBUG -+ printf("Setting %s to \"%s\" in PAM environment.\n", -+ KRB5_ENV_CCNAME, ccname); -+#endif -+ sprintf(ccname2, "%s=%s", KRB5_ENV_CCNAME, ccname); -+ pam_putenv(appl_pamh, ccname2); -+ } -+ } -+} -+static int -+appl_pam_start(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ static int exit_handler_registered; -+ static struct appl_pam_non_interactive_args args; -+ int ret = 0; -+ if (appl_pam_started && -+ (strcmp(login_username, appl_pam_user) != 0)) { -+ appl_pam_cleanup(); -+ appl_pam_user = NULL; -+ } -+ if (!appl_pam_started) { -+#ifdef DEBUG -+ printf("Starting PAM up (service=\"%s\",user=\"%s\").\n", -+ service, login_username); -+#endif -+ memset(&appl_pam_conv, 0, sizeof(appl_pam_conv)); -+ appl_pam_conv.conv = interactive ? -+ &appl_pam_interactive_converse : -+ &appl_pam_non_interactive_converse; -+ memset(&args, 0, sizeof(args)); -+ args.user = strdup(login_username); -+ args.password = non_interactive_password ? -+ strdup(non_interactive_password) : -+ NULL; -+ appl_pam_conv.appdata_ptr = &args; -+ ret = pam_start(service, login_username, -+ &appl_pam_conv, &appl_pamh); -+ if (ret == 0) { -+ if (hostname != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_RHOST to \"%s\".\n", hostname); -+#endif -+ pam_set_item(appl_pamh, PAM_RHOST, hostname); -+ } -+ if (ruser != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_RUSER to \"%s\".\n", ruser); -+#endif -+ pam_set_item(appl_pamh, PAM_RUSER, ruser); -+ } -+ if (tty != NULL) { -+#ifdef DEBUG -+ printf("Setting PAM_TTY to \"%s\".\n", tty); -+#endif -+ pam_set_item(appl_pamh, PAM_TTY, tty); -+ } -+ if (!exit_handler_registered && -+ (atexit(appl_pam_cleanup) != 0)) { -+ pam_end(appl_pamh, 0); -+ appl_pamh = NULL; -+ ret = -1; -+ } else { -+ appl_pam_started = 1; -+ appl_pam_starter = getpid(); -+ appl_pam_user = strdup(login_username); -+ exit_handler_registered = 1; -+ } -+ } -+ } -+ return ret; -+} -+int -+appl_pam_authenticate(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ int ret; -+ ret = appl_pam_start(service, interactive, login_username, -+ non_interactive_password, hostname, ruser, tty); -+ if (ret == 0) { -+ ret = pam_authenticate(appl_pamh, 0); -+ } -+ return ret; -+} -+int -+appl_pam_acct_mgmt(const char *service, int interactive, -+ const char *login_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty) -+{ -+ int ret; -+ appl_pam_pwchange_required = 0; -+ ret = appl_pam_start(service, interactive, login_username, -+ non_interactive_password, hostname, ruser, tty); -+ if (ret == 0) { -+#ifdef DEBUG -+ printf("Calling pam_acct_mgmt().\n"); -+#endif -+ ret = pam_acct_mgmt(appl_pamh, 0); -+ switch (ret) { -+ case PAM_IGNORE: -+ ret = 0; -+ break; -+ case PAM_NEW_AUTHTOK_REQD: -+ appl_pam_pwchange_required = 1; -+ ret = 0; -+ break; -+ default: -+ break; -+ } -+ } -+ return ret; -+} -+int -+appl_pam_requires_chauthtok(void) -+{ -+ return appl_pam_pwchange_required; -+} -+int -+appl_pam_chauthtok(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Changing PAM expired authentication token.\n"); -+#endif -+ ret = pam_chauthtok(appl_pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ } -+ return ret; -+} -+int -+appl_pam_session_open(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Opening PAM session.\n"); -+#endif -+ ret = pam_open_session(appl_pamh, 0); -+ if (ret == 0) { -+ appl_pam_session_opened = 1; -+ } -+ } -+ return ret; -+} -+int -+appl_pam_setenv(void) -+{ -+ int ret = 0; -+#ifdef HAVE_PAM_GETENVLIST -+#ifdef HAVE_PUTENV -+ int i; -+ char **list; -+ if (appl_pam_started) { -+ list = pam_getenvlist(appl_pamh); -+ for (i = 0; ((list != NULL) && (list[i] != NULL)); i++) { -+#ifdef DEBUG -+ printf("Setting \"%s\" in environment.\n", list[i]); -+#endif -+ putenv(list[i]); -+ } -+ } -+#endif -+#endif -+ return ret; -+} -+int -+appl_pam_cred_init(void) -+{ -+ int ret = 0; -+ if (appl_pam_started) { -+#ifdef DEBUG -+ printf("Initializing PAM credentials.\n"); -+#endif -+ ret = pam_setcred(appl_pamh, PAM_ESTABLISH_CRED); -+ if (ret == 0) { -+ appl_pam_creds_initialized = 1; -+ } -+ } -+ return ret; -+} -+#endif ---- /dev/null 2007-06-22 10:29:46.741860805 -0400 -+++ krb5-1.6.1/src/appl/bsd/pam.h 2007-06-22 14:27:05.000000000 -0400 -@@ -0,0 +1,65 @@ -+/* -+ * src/appl/bsd/pam.h -+ * -+ * Copyright 2007,2009 Red Hat, Inc. -+ * -+ * All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * Convenience wrappers for using PAM. -+ */ -+ -+#include -+#ifdef HAVE_SECURITY_PAM_APPL_H -+#include -+#endif -+ -+#define USE_PAM_CONFIGURATION_KEYWORD "use_pam" -+ -+#ifdef USE_PAM -+int appl_pam_enabled(krb5_context context, const char *section); -+int appl_pam_authenticate(const char *service, int interactive, -+ const char *local_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty); -+int appl_pam_acct_mgmt(const char *service, int interactive, -+ const char *local_username, -+ const char *non_interactive_password, -+ const char *hostname, -+ const char *ruser, -+ const char *tty); -+int appl_pam_requires_chauthtok(void); -+int appl_pam_chauthtok(void); -+void appl_pam_set_forwarded_ccname(const char *ccname); -+int appl_pam_session_open(void); -+int appl_pam_setenv(void); -+int appl_pam_cred_init(void); -+void appl_pam_cleanup(void); -+#endif ---- krb5-1.6.1/src/appl/gssftp/ftpd/Makefile.in 2006-12-01 19:10:25.000000000 -0500 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/Makefile.in 2007-06-21 17:39:57.000000000 -0400 -@@ -14,23 +14,25 @@ SETENVOBJ=@SETENVOBJ@ - LIBOBJS=@LIBOBJS@ - COMERRLIB=$(BUILDTOP)/util/et/libcom_err.a - FTPD_LIBS=@FTPD_LIBS@ -+PAM_LIBS=@PAM_LIBS@ - - SRCS = $(srcdir)/ftpd.c ftpcmd.c $(srcdir)/popen.c \ - $(srcdir)/vers.c \ - $(srcdir)/../ftp/glob.c \ - $(srcdir)/../ftp/radix.c \ - $(srcdir)/../ftp/secure.c \ -+ $(srcdir)/../../bsd/pam.c \ - $(srcdir)/../../bsd/getdtablesize.c $(SETENVSRC) - - OBJS = ftpd.o ftpcmd.o glob.o popen.o vers.o radix.o \ -- secure.o $(LIBOBJS) $(SETENVOBJ) -+ secure.o pam.o getdtablesize.o $(LIBOBJS) $(SETENVOBJ) - - LOCALINCLUDES = -I$(srcdir)/.. -I$(srcdir) @KRB4_INCLUDES@ - - all:: ftpd - - ftpd: $(OBJS) $(PTY_DEPLIB) $(GSS_DEPLIBS) $(KRB4COMPAT_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(KRB4COMPAT_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(FTPD_LIBS) $(PTY_LIB) $(UTIL_LIB) $(GSS_LIBS) $(PAM_LIBS) $(KRB4COMPAT_LIBS) - - generate-files-mac: ftpcmd.c - -@@ -62,6 +64,8 @@ secure.o: $(srcdir)/../ftp/secure.c - - getdtablesize.o: $(srcdir)/../../bsd/getdtablesize.c - $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/getdtablesize.c -+pam.o: $(srcdir)/../../bsd/pam.c -+ $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/pam.c - - setenv.o: $(srcdir)/../../bsd/setenv.c - $(CC) -c $(ALL_CFLAGS) $(srcdir)/../../bsd/setenv.c ---- krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2006-08-08 15:26:40.000000000 -0400 -+++ krb5-1.6.1/src/appl/gssftp/ftpd/ftpd.c 2007-06-22 14:28:09.000000000 -0400 -@@ -70,6 +70,9 @@ static char sccsid[] = "@(#)ftpd.c 5.40 - #ifdef HAVE_SHADOW - #include - #endif -+#ifdef USE_PAM -+#include "../../bsd/pam.h" -+#endif - #include - #include - #ifndef POSIX_SETJMP -@@ -803,6 +806,22 @@ - } - #endif /* KRB5_KRB4_COMPAT */ - -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, -+ pw->pw_name, "", -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) { -+ reply(530, "Login incorrect."); -+ return; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ reply(530, "Password change required."); -+ return; -+ } -+ } -+#endif - if (!authorized && authlevel == AUTHLEVEL_AUTHORIZE) { - strncat(buf, "; Access denied.", - sizeof(buf) - strlen(buf) - 1); -@@ -903,6 +921,10 @@ end_login() - (void) krb5_seteuid((uid_t)0); - if (logged_in) - pty_logwtmp(ttyline, "", ""); -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) -+ appl_pam_cleanup(); -+#endif - if (have_creds) { - #ifdef GSSAPI - krb5_cc_destroy(kcontext, ccache); -@@ -1073,9 +1095,19 @@ pass(passwd) - * kpass fails and the user has no local password - * kpass fails and the provided password doesn't match pw - */ -- if (pw == NULL || (!kpass(pw->pw_name, passwd) && -- (want_creds || !*pw->pw_passwd || -- strcmp(xpasswd, pw->pw_passwd)))) { -+ if ((pw == NULL) || -+#ifdef USE_PAM -+ appl_pam_enabled(kcontext, "ftpd") ? -+ (appl_pam_authenticate(FTP_PAM_SERVICE, 0, -+ pw->pw_name, passwd, -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) : -+#endif -+ (!kpass(pw->pw_name, passwd) && -+ (want_creds || -+ !*pw->pw_passwd || -+ strcmp(xpasswd, pw->pw_passwd)))) { - pw = NULL; - sleep(5); - if (++login_attempts >= 3) { -@@ -1092,6 +1123,23 @@ pass(passwd) - } - login_attempts = 0; /* this time successful */ - -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_acct_mgmt(FTP_PAM_SERVICE, 0, -+ pw->pw_name, passwd, -+ hostname, -+ NULL, -+ FTP_PAM_SERVICE) != 0) { -+ reply(530, "Login incorrect."); -+ return; -+ } -+ if (appl_pam_requires_chauthtok()) { -+ reply(530, "Password change required."); -+ return; -+ } -+ } -+#endif -+ - login(passwd, 0); - return; - } -@@ -1110,6 +1157,18 @@ login(passwd, logincode) - chown(tkt_string(), pw->pw_uid, pw->pw_gid); - #endif - } -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) { -+ if (appl_pam_session_open() != 0) { -+ reply(550, "Can't open PAM session."); -+ goto bad; -+ } -+ if (appl_pam_cred_init() != 0) { -+ reply(550, "Can't establish PAM credentials."); -+ goto bad; -+ } -+ } -+#endif - - (void) krb5_setegid((gid_t)pw->pw_gid); - (void) initgroups(pw->pw_name, pw->pw_gid); -@@ -2125,6 +2194,10 @@ dologout(status) - dest_tkt(); - #endif - } -+#ifdef USE_PAM -+ if (appl_pam_enabled(kcontext, "ftpd")) -+ appl_pam_cleanup(); -+#endif - /* beware of flushing buffers after a SIGPIPE */ - _exit(status); - } ---- krb5-1.6.1/src/appl/gssftp/configure.in 2006-03-31 16:00:40.000000000 -0500 -+++ krb5-1.6.1/src/appl/gssftp/configure.in 2007-06-21 17:39:57.000000000 -0400 -@@ -17,6 +17,7 @@ DECLARE_SYS_ERRLIST - AC_REPLACE_FUNCS(getdtablesize) - AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) - AC_CHECK_LIB(crypt,crypt) dnl -+KRB5_WITH_PAM - KRB5_AC_LIBUTIL - dnl - dnl copied from appl/bsd/configure.in ---- krb5-1.6.1/src/configure.in 2007-06-21 17:39:57.000000000 -0400 -+++ krb5-1.6.1/src/configure.in 2007-06-21 17:39:57.000000000 -0400 -@@ -929,6 +929,8 @@ if false; then - AC_CONFIG_SUBDIRS(plugins/locate/python) - fi - -+KRB5_WITH_PAM -+ - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - V5_AC_OUTPUT_MAKEFILE(. - ---- krb5-1.6.1/src/config/pre.in 2007-06-21 17:39:57.000000000 -0400 -+++ krb5-1.6.1/src/config/pre.in 2007-06-21 17:39:57.000000000 -0400 -@@ -180,6 +180,7 @@ SRVLIBS = @SRVLIBS@ - SRVDEPLIBS = @SRVDEPLIBS@ - CLNTLIBS = @CLNTLIBS@ - CLNTDEPLIBS = @CLNTDEPLIBS@ -+PAM_LIBS = @PAM_LIBS@ - - INSTALL=@INSTALL@ - INSTALL_STRIP= ---- krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400 -+++ krb5-1.6.1/src/aclocal.m4 2007-06-21 17:39:57.000000000 -0400 -@@ -1823,3 +1823,86 @@ AC_DEFUN(KRB5_AC_KEYRING_CCACHE,[ - ])) - ])dnl - dnl -+dnl -+dnl Use PAM instead of local crypt() compare for checking local passwords, -+dnl and perform PAM account, session management, and password-changing where -+dnl appropriate. -+dnl -+AC_DEFUN(KRB5_WITH_PAM,[ -+AC_ARG_WITH(pam,[AC_HELP_STRING(--with-pam,[compile with PAM support])], -+ withpam="$withval",withpam=auto) -+AC_ARG_WITH(pam-login-service,[AC_HELP_STRING(--with-login-service,[PAM service name for login ["login"]])], -+ withloginpamservice="$withval",withloginpamservice=login) -+AC_ARG_WITH(pam-kshell-service,[AC_HELP_STRING(--with-kshell-service,[PAM service name for unencrypted rsh ["kshell"]])], -+ withkshellpamservice="$withval",withkshellpamservice=kshell) -+AC_ARG_WITH(pam-ekshell-service,[AC_HELP_STRING(--with-ekshell-service,[PAM service name for encrypted rsh ["ekshell"]])], -+ withekshellpamservice="$withval",withekshellpamservice=ekshell) -+AC_ARG_WITH(pam-ftp-service,[AC_HELP_STRING(--with-ftp-service,[PAM service name for ftpd ["gssftp"]])], -+ withftppamservice="$withval",withftppamservice=gssftp) -+AC_ARG_WITH(pam-ksu-service,[AC_HELP_STRING(--with-ksu-service,[PAM service name for ksu ["ksu"]])], -+ withksupamservice="$withval",withksupamservice=ksu) -+old_LIBS="$LIBS" -+if test "$withpam" != no ; then -+ AC_MSG_RESULT([checking for PAM...]) -+ PAM_LIBS= -+ -+ AC_CHECK_HEADERS(security/pam_appl.h) -+ if test "x$ac_cv_header_security_pam_appl_h" != xyes ; then -+ if test "$withpam" = auto ; then -+ AC_MSG_RESULT([Unable to locate security/pam_appl.h.]) -+ withpam=no -+ else -+ AC_MSG_ERROR([Unable to locate security/pam_appl.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_pam_start -+ AC_CHECK_FUNCS(putenv pam_start) -+ if test "x$ac_cv_func_pam_start" = xno ; then -+ unset ac_cv_func_pam_start -+ AC_CHECK_LIB(dl,dlopen) -+ AC_CHECK_FUNCS(pam_start) -+ if test "x$ac_cv_func_pam_start" = xno ; then -+ AC_CHECK_LIB(pam,pam_start) -+ unset ac_cv_func_pam_start -+ unset ac_cv_func_pam_getenvlist -+ AC_CHECK_FUNCS(pam_start pam_getenvlist) -+ if test "x$ac_cv_func_pam_start" = xyes ; then -+ PAM_LIBS="$LIBS" -+ else -+ if test "$withpam" = auto ; then -+ AC_MSG_RESULT([Unable to locate libpam.]) -+ withpam=no -+ else -+ AC_MSG_ERROR([Unable to locate libpam.]) -+ fi -+ fi -+ fi -+ fi -+ if test "$withpam" != no ; then -+ AC_MSG_RESULT([Using PAM.]) -+ AC_DEFINE(USE_PAM,1,[Define if Kerberos-aware tools should support PAM]) -+ AC_DEFINE_UNQUOTED(LOGIN_PAM_SERVICE,"$withloginpamservice", -+ [Define to the name of the PAM service name to be used by login.]) -+ AC_DEFINE_UNQUOTED(KSHELL_PAM_SERVICE,"$withkshellpamservice", -+ [Define to the name of the PAM service name to be used by rshd for unencrypted sessions.]) -+ AC_DEFINE_UNQUOTED(EKSHELL_PAM_SERVICE,"$withekshellpamservice", -+ [Define to the name of the PAM service name to be used by rshd for encrypted sessions.]) -+ AC_DEFINE_UNQUOTED(FTP_PAM_SERVICE,"$withftppamservice", -+ [Define to the name of the PAM service name to be used by ftpd.]) -+ AC_DEFINE_UNQUOTED(KSU_PAM_SERVICE,"$withksupamservice", -+ [Define to the name of the PAM service name to be used by ksu.]) -+ PAM_LIBS="$LIBS" -+ NON_PAM_MAN=".\\\" " -+ PAM_MAN= -+ else -+ PAM_MAN=".\\\" " -+ NON_PAM_MAN= -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(PAM_LIBS) -+AC_SUBST(PAM_MAN) -+AC_SUBST(NON_PAM_MAN) -+])dnl -diff -up krb5-1.6.1/src/clients/ksu/Makefile.in krb5-1.6.1/src/clients/ksu/Makefile.in ---- krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-21 15:07:16.000000000 -0400 -+++ krb5-1.6.1/src/clients/ksu/Makefile.in 2009-04-23 13:47:36.000000000 -0400 -@@ -15,6 +15,7 @@ SRCS = \ - $(srcdir)/ccache.c \ - $(srcdir)/authorization.c \ - $(srcdir)/main.c \ -+ $(srcdir)/../../appl/bsd/pam.c \ - $(srcdir)/heuristic.c \ - $(srcdir)/xmalloc.c \ - $(srcdir)/setenv.c -@@ -23,13 +24,17 @@ OBJS = \ - ccache.o \ - authorization.o \ - main.o \ -+ pam.o \ - heuristic.o \ - xmalloc.o @SETENVOBJ@ - - all:: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(PAM_LIBS) -+ -+pam.o: $(srcdir)/../../appl/bsd/pam.c -+ $(CC) $(ALL_CFLAGS) -c $< - - clean:: - $(RM) ksu ---- krb5-1.6.3/src/clients/ksu/main.c 2006-08-15 15:27:08.000000000 -0400 -+++ krb5-1.6.3/src/clients/ksu/main.c 2009-04-23 18:39:03.000000000 -0400 -@@ -25,6 +25,7 @@ - * KSU was writen by: Ari Medvinsky, ari@isi.edu - */ - -+#include "autoconf.h" - #include "ksu.h" - #include "adm_proto.h" - #include -@@ -32,6 +33,11 @@ - #include - #include - -+#ifdef USE_PAM -+#include "../../appl/bsd/pam.h" -+int force_fork = 0; -+#endif -+ - /* globals */ - char * prog_name; - int auth_debug =0; -@@ -791,7 +797,24 @@ - fprintf(stderr, "program to be execed %s\n",params[0]); - } - -- if( keep_target_cache ) { -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_acct_mgmt(KSU_PAM_SERVICE, 1, target_user, NULL, -+ NULL, source_user, ttyname(STDERR_FILENO)) != 0) { -+ fprintf(stderr, "Access denied for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+ if (appl_pam_requires_chauthtok()) { -+ fprintf(stderr, "Password change required for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+ force_fork++; -+ } -+#endif -+ -+ if( keep_target_cache && !force_fork ) { - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", - params[0]); -@@ -799,6 +822,33 @@ - exit(1); - }else{ - statusp = 1; -+ -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_session_open() != 0) { -+ fprintf(stderr, "Error opening session for %s.\n", target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Opened PAM session.\n"); -+ } -+#endif -+ if (appl_pam_cred_init()) { -+ fprintf(stderr, "Error initializing credentials for %s.\n", -+ target_user); -+ sweep_up(ksu_context, cc_target); -+ exit(1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Initialized PAM credentials.\n"); -+ } -+#endif -+ } -+#endif -+ - switch ((child_pid = fork())) { - default: - if (auth_debug){ -@@ -822,15 +872,34 @@ - if (ret_pid == -1) { - com_err(prog_name, errno, "while calling waitpid"); - } -- sweep_up(ksu_context, cc_target); -+ if( !keep_target_cache ) { -+ sweep_up(ksu_context, cc_target); -+ } - exit (statusp); - case -1: - com_err(prog_name, errno, "while trying to fork."); - sweep_up(ksu_context, cc_target); - exit (1); - case 0: -+#ifdef USE_PAM -+ if (appl_pam_enabled(ksu_context, "ksu")) { -+ if (appl_pam_setenv() != 0) { -+ fprintf(stderr, "Error setting up environment for %s.\n", -+ target_user); -+ exit (1); -+ } -+#ifdef DEBUG -+ if (auth_debug){ -+ printf(" Set up PAM environment.\n"); -+ } -+#endif -+ } -+#endif - execv(params[0], params); - com_err(prog_name, errno, "while trying to execv %s", params[0]); -+ if( keep_target_cache ) { -+ sweep_up(ksu_context, cc_target); -+ } - exit (1); - } - } diff --git a/krb5-1.6.2-dirsrv-accountlock.patch b/krb5-1.6.2-dirsrv-accountlock.patch deleted file mode 100644 index 3c39c6d..0000000 --- a/krb5-1.6.2-dirsrv-accountlock.patch +++ /dev/null @@ -1,68 +0,0 @@ -Treat 'nsAccountLock: true' the same as 'loginDisabled: true'. RT#5891. - -diff -ur krb5-1.6.2.orig/src/aclocal.m4 krb5-1.6.2/src/aclocal.m4 ---- krb5-1.6.2.orig/src/aclocal.m4 2007-11-20 11:39:51.000000000 -0500 -+++ krb5-1.6.2/src/aclocal.m4 2007-11-20 12:09:56.000000000 -0500 -@@ -1798,6 +1798,12 @@ - yes | no) ;; - *) AC_MSG_ERROR(Invalid option value --with-edirectory="$withval") ;; - esac], with_edirectory=no)dnl -+AC_ARG_WITH([dirsrv], -+[ --with-dirsrv compile Red Hat/Fedora/Netscape Directory Server database backend module], -+[case "$withval" in -+ yes | no) ;; -+ *) AC_MSG_ERROR(Invalid option value --with-dirsrv="$withval") ;; -+esac], with_dirsrv=no)dnl - - if test $with_ldap = yes; then - if test $with_edirectory = yes; then -@@ -1809,6 +1815,10 @@ - AC_MSG_NOTICE(enabling eDirectory database backend module support) - OPENLDAP_PLUGIN=yes - AC_DEFINE(HAVE_EDIRECTORY,1,[Define if LDAP KDB interface should assume eDirectory.]) -+elif test $with_dirsrv = yes; then -+ AC_MSG_NOTICE(enabling Red Hat/Fedora/Netscape Directory Server database backend module support) -+ OPENLDAP_PLUGIN=yes -+ AC_DEFINE(HAVE_DIRSRV,1,[Define if LDAP KDB interface should assume RHDS/FDS/NDS.]) - else - : # neither enabled - dnl AC_MSG_NOTICE(disabling ldap backend module support) -diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c ---- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2006-12-21 23:28:09.000000000 -0500 -+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c 2007-11-20 12:04:10.000000000 -0500 -@@ -2141,6 +2141,22 @@ - } - } - #endif -+#ifdef HAVE_DIRSRV -+ { -+ krb5_timestamp expiretime=0; -+ char *is_login_disabled=NULL; -+ -+ /* LOGIN DISABLED */ -+ if ((st=krb5_ldap_get_string(ld, ent, "nsaccountlock", &is_login_disabled, -+ &attr_present)) != 0) -+ goto cleanup; -+ if (attr_present == TRUE) { -+ if (strcasecmp(is_login_disabled, "TRUE")== 0) -+ entry->attributes |= KRB5_KDB_DISALLOW_ALL_TIX; -+ free (is_login_disabled); -+ } -+ } -+#endif - - if ((st=krb5_read_tkt_policy (context, ldap_context, entry, tktpolname)) !=0) - goto cleanup; -diff -ur krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c ---- krb5-1.6.2.orig/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2007-01-03 19:27:26.000000000 -0500 -+++ krb5-1.6.2/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c 2007-11-20 12:00:27.000000000 -0500 -@@ -57,6 +57,9 @@ - "loginexpirationtime", - "logindisabled", - #endif -+#ifdef HAVE_DIRSRV -+ "nsaccountlock", -+#endif - "loginexpirationtime", - "logindisabled", - "modifytimestamp", diff --git a/krb5-1.6.3-lucid-acceptor.patch b/krb5-1.6.3-lucid-acceptor.patch deleted file mode 100644 index 2dec700..0000000 --- a/krb5-1.6.3-lucid-acceptor.patch +++ /dev/null @@ -1,13 +0,0 @@ -From Kevin Coffman, via the nfs4 mailing list. -diff -up src/lib/gssapi/krb5/lucid_context.c ./src/lib/gssapi/krb5/lucid_context.c ---- src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:11.000000000 -0400 -+++ src/lib/gssapi/krb5/lucid_context.c 2008-04-01 16:28:01.000000000 -0400 -@@ -231,7 +231,7 @@ make_external_lucid_ctx_v1( - &lctx->cfx_kd.ctx_key))) - goto error_out; - if (gctx->have_acceptor_subkey) { -- if ((retval = copy_keyblock_to_lucid_key(gctx->enc, -+ if ((retval = copy_keyblock_to_lucid_key(gctx->acceptor_subkey, - &lctx->cfx_kd.acceptor_subkey))) - goto error_out; - lctx->cfx_kd.have_acceptor_subkey = 1; diff --git a/krb5-1.6.3-selinux-label.patch b/krb5-1.6.3-selinux-label.patch deleted file mode 100644 index f15cc7a..0000000 --- a/krb5-1.6.3-selinux-label.patch +++ /dev/null @@ -1,860 +0,0 @@ -SELinux bases access to files mainly on the domain of the requesting -process and the context applied to the file. - -In many cases, applications needn't be SELinux aware to work properly, -because SELinux can apply a default label to a file based on the label -of the directory in which it's created. - -In the case of files such as /etc/krb5.keytab, however, this isn't -sufficient, as /etc/krb5.keytab will almost always need given a label -which differs from that of /etc/issue or /etc/resolv.conf. - -To give the file the correct label, we can either force a "restorecon" -call to fix a file's label after it's created, or create the file with -the right label, as we do here. We lean on THREEPARAMOPEN and define a -similar macro named WRITABLEFOPEN with which we replace several uses of -fopen(). - -diff -ur krb5-1.6.3/src/aclocal.m4 krb5-1.6.3/src/aclocal.m4 ---- krb5-1.6.3/src/aclocal.m4 2008-03-06 19:04:59.000000000 -0500 -+++ krb5-1.6.3/src/aclocal.m4 2008-03-06 17:31:21.000000000 -0500 -@@ -102,6 +102,7 @@ - dnl - KRB5_AC_PRAGMA_WEAK_REF - WITH_LDAP -+KRB5_WITH_SELINUX - KRB5_LIB_PARAMS - KRB5_AC_INITFINI - KRB5_AC_ENABLE_THREADS -@@ -1902,3 +1903,50 @@ - AC_SUBST(PAM_MAN) - AC_SUBST(NON_PAM_MAN) - ])dnl -+dnl -+dnl Use libselinux to set file contexts on newly-created files. -+dnl -+AC_DEFUN(KRB5_WITH_SELINUX,[ -+AC_ARG_WITH(selinux,[AC_HELP_STRING(--with-selinux,[compile with SELinux labeling support])], -+ withselinux="$withval",withselinux=auto) -+old_LIBS="$LIBS" -+if test "$withselinux" != no ; then -+ AC_MSG_RESULT([checking for libselinux...]) -+ SELINUX_LIBS= -+ AC_CHECK_HEADERS(selinux/selinux.h) -+ if test "x$ac_cv_header_selinux_selinux_h" != xyes ; then -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate selinux/selinux.h.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate selinux/selinux.h.]) -+ fi -+ fi -+ -+ LIBS= -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xno ; then -+ AC_CHECK_LIB(selinux,setfscreatecon) -+ unset ac_cv_func_setfscreatecon -+ AC_CHECK_FUNCS(setfscreatecon) -+ if test "x$ac_cv_func_setfscreatecon" = xyes ; then -+ SELINUX_LIBS="$LIBS" -+ else -+ if test "$withselinux" = auto ; then -+ AC_MSG_RESULT([Unable to locate libselinux.]) -+ withselinux=no -+ else -+ AC_MSG_ERROR([Unable to locate libselinux.]) -+ fi -+ fi -+ fi -+ if test "$withselinux" != no ; then -+ AC_MSG_RESULT([Using SELinux.]) -+ AC_DEFINE(USE_SELINUX,1,[Define if Kerberos-aware tools should set SELinux file contexts when creating files.]) -+ SELINUX_LIBS="$LIBS" -+ fi -+fi -+LIBS="$old_LIBS" -+AC_SUBST(SELINUX_LIBS) -+])dnl -diff -ur krb5-1.6.3/src/appl/bsd/configure.in krb5-1.6.3/src/appl/bsd/configure.in ---- krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 19:04:59.000000000 -0500 -+++ krb5-1.6.3/src/appl/bsd/configure.in 2008-03-06 18:05:45.000000000 -0500 -@@ -25,6 +25,7 @@ - LOGINLIBS="$LOGINLIBS -lodm -ls -lcfg" - ))) - KRB5_WITH_PAM -+KRB5_WITH_SELINUX - dnl - dnl Make our operating system-specific security checks and definitions for - dnl login. -diff -ur krb5-1.6.3/src/appl/gssftp/configure.in krb5-1.6.3/src/appl/gssftp/configure.in ---- krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 19:04:59.000000000 -0500 -+++ krb5-1.6.3/src/appl/gssftp/configure.in 2008-03-06 18:08:03.000000000 -0500 -@@ -18,6 +18,7 @@ - AC_CHECK_FUNCS(getcwd getdtablesize getusershell seteuid setreuid setresuid strerror getenv) - AC_CHECK_LIB(crypt,crypt) dnl - KRB5_WITH_PAM -+KRB5_WITH_SELINUX - KRB5_AC_LIBUTIL - dnl - dnl copied from appl/bsd/configure.in -diff -ur krb5-1.6.3/src/appl/telnet/configure.in krb5-1.6.3/src/appl/telnet/configure.in ---- krb5-1.6.3/src/appl/telnet/configure.in 2006-03-27 23:35:02.000000000 -0500 -+++ krb5-1.6.3/src/appl/telnet/configure.in 2008-03-06 18:08:49.000000000 -0500 -@@ -163,6 +163,7 @@ - if test $krb5_cv_sys_setpgrp_two = yes; then - AC_DEFINE(SETPGRP_TWOARG,1,[Define if setpgrp takes two arguments]) - fi -+KRB5_USE_SELINUX - dnl - KRB5_NEED_PROTO([#include ],unsetenv,1) - dnl KRB5_NEED_PROTO([#include ],setenv,1) -diff -ur krb5-1.6.3/src/config/pre.in krb5-1.6.3/src/config/pre.in ---- krb5-1.6.3/src/config/pre.in 2008-03-06 19:04:59.000000000 -0500 -+++ krb5-1.6.3/src/config/pre.in 2008-03-06 17:53:07.000000000 -0500 -@@ -181,6 +181,7 @@ - CLNTLIBS = @CLNTLIBS@ - CLNTDEPLIBS = @CLNTDEPLIBS@ - PAM_LIBS = @PAM_LIBS@ -+SELINUX_LIBS=@SELINUX_LIBS@ - - INSTALL=@INSTALL@ - INSTALL_STRIP= -@@ -391,7 +392,7 @@ - # HESIOD_LIBS is -lhesiod... - HESIOD_LIBS = @HESIOD_LIBS@ - --KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) -+KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - KRB4COMPAT_LIBS = $(KRB4_LIB) $(DES425_LIB) $(KRB5_BASE_LIBS) - KDB5_LIBS = $(KDB5_LIB) - GSS_LIBS = $(GSS_KRB5_LIB) -diff -ur krb5-1.6.3/src/configure.in krb5-1.6.3/src/configure.in ---- krb5-1.6.3/src/configure.in 2008-03-06 19:04:59.000000000 -0500 -+++ krb5-1.6.3/src/configure.in 2008-03-06 17:39:53.000000000 -0500 -@@ -945,6 +945,8 @@ - - KRB5_WITH_PAM - -+KRB5_WITH_SELINUX -+ - AC_CONFIG_FILES(krb5-config, [chmod +x krb5-config]) - - mansysconfdir=$sysconfdir -diff -ur krb5-1.6.3/src/include/autoconf.h.in krb5-1.6.3/src/include/autoconf.h.in ---- krb5-1.6.3/src/include/autoconf.h.in 2007-10-21 23:35:17.000000000 -0400 -+++ krb5-1.6.3/src/include/autoconf.h.in 2008-03-06 17:39:13.000000000 -0500 -@@ -358,6 +358,9 @@ - /* Define to 1 if you have the `sched_yield' function. */ - #undef HAVE_SCHED_YIELD - -+/* Define to 1 if you have the header file. */ -+#undef HAVE_SELINUX_SELINUX_H -+ - /* Define to 1 if you have the header file. */ - #undef HAVE_SEMAPHORE_H - -@@ -370,6 +373,9 @@ - /* Define to 1 if you have the `setegid' function. */ - #undef HAVE_SETEGID - -+/* Define to 1 if you have the `setfscreatecon' function. */ -+#undef HAVE_SETFSCREATECON -+ - /* Define to 1 if you have the `setenv' function. */ - #undef HAVE_SETENV - -@@ -695,6 +701,10 @@ - /* Define if the KDC should use a replay cache */ - #undef USE_RCACHE - -+/* Define if Kerberos-aware tools should set SELinux file contexts when -+ creating files. */ -+#undef USE_SELINUX -+ - /* Define if sigprocmask should be used */ - #undef USE_SIGPROCMASK - -diff -ur krb5-1.6.3/src/include/k5-int.h krb5-1.6.3/src/include/k5-int.h ---- krb5-1.6.3/src/include/k5-int.h 2007-10-04 16:17:48.000000000 -0400 -+++ krb5-1.6.3/src/include/k5-int.h 2008-03-06 18:51:29.000000000 -0500 -@@ -128,6 +128,7 @@ - typedef UINT64_TYPE krb5_ui_8; - typedef INT64_TYPE krb5_int64; - -+#include "k5-label.h" - - #define DEFAULT_PWD_STRING1 "Enter password" - #define DEFAULT_PWD_STRING2 "Re-enter password for verification" -diff -ur krb5-1.6.3/src/include/krb5/krb5.hin krb5-1.6.3/src/include/krb5/krb5.hin ---- krb5-1.6.3/src/include/krb5/krb5.hin 2007-09-17 23:36:09.000000000 -0400 -+++ krb5-1.6.3/src/include/krb5/krb5.hin 2008-03-06 18:17:29.000000000 -0500 -@@ -91,6 +91,12 @@ - #define THREEPARAMOPEN(x,y,z) open(x,y,z) - #endif - -+#if KRB5_PRIVATE -+#ifndef WRITABLEFOPEN -+#define WRITABLEFOPEN(x,y) fopen(x,y) -+#endif -+#endif -+ - #define KRB5_OLD_CRYPTO - - #include -diff -ur krb5-1.6.3/src/kadmin/dbutil/dump.c krb5-1.6.3/src/kadmin/dbutil/dump.c ---- krb5-1.6.3/src/kadmin/dbutil/dump.c 2006-12-18 18:11:15.000000000 -0500 -+++ krb5-1.6.3/src/kadmin/dbutil/dump.c 2008-03-06 18:33:44.000000000 -0500 -@@ -1148,7 +1148,7 @@ - * want to get into. - */ - unlink(ofile); -- if (!(f = fopen(ofile, "w"))) { -+ if (!(f = WRITABLEFOPEN(ofile, "w"))) { - fprintf(stderr, ofopen_error, - programname, ofile, error_message(errno)); - exit_status++; -diff -ur krb5-1.6.3/src/kadmin/dbutil/dumpv4.c krb5-1.6.3/src/kadmin/dbutil/dumpv4.c ---- krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2002-11-05 19:42:57.000000000 -0500 -+++ krb5-1.6.3/src/kadmin/dbutil/dumpv4.c 2008-03-06 18:33:50.000000000 -0500 -@@ -324,7 +324,7 @@ - * want to get into. - */ - unlink(outname); -- if (!(f = fopen(outname, "w"))) { -+ if (!(f = WRITABLEFOPEN(outname, "w"))) { - com_err(argv[0], errno, - "While opening file %s for writing", outname); - exit_status++; -diff -ur krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c ---- krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2005-10-12 16:48:36.000000000 -0400 -+++ krb5-1.6.3/src/kadmin/ktutil/ktutil_funcs.c 2008-03-06 18:34:19.000000000 -0500 -@@ -520,7 +520,7 @@ - umask(0077); /*Changing umask for all of ktutil is OK - * We don't ever write out anything that should use - * default umask.*/ -- fp = fopen(name, "w"); -+ fp = WRITABLEFOPEN(name, "w"); - if (!fp) { - retval = EIO; - goto free_pruned; -diff -ur krb5-1.6.3/src/krb5-config.in krb5-1.6.3/src/krb5-config.in ---- krb5-1.6.3/src/krb5-config.in 2006-06-15 20:26:49.000000000 -0400 -+++ krb5-1.6.3/src/krb5-config.in 2008-03-06 17:29:57.000000000 -0500 -@@ -39,6 +39,7 @@ - RPATH_FLAG='@RPATH_FLAG@' - PTHREAD_CFLAGS='@PTHREAD_CFLAGS@' - DL_LIB='@DL_LIB@' -+SELINUX_LIBS='@SELINUX_LIBS@' - - LIBS='@LIBS@' - GEN_LIB=@GEN_LIB@ -@@ -217,7 +218,7 @@ - fi - - if test $library = 'krb5'; then -- lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $DL_LIB" -+ lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB $LIBS $SELINUX_LIBS $DL_LIB" - fi - - echo $lib_flags -diff -ur krb5-1.6.3/src/lib/kadm5/logger.c krb5-1.6.3/src/lib/kadm5/logger.c ---- krb5-1.6.3/src/lib/kadm5/logger.c 2007-04-04 17:08:05.000000000 -0400 -+++ krb5-1.6.3/src/lib/kadm5/logger.c 2008-03-06 18:30:32.000000000 -0500 -@@ -425,7 +425,7 @@ - * Check for append/overwrite, then open the file. - */ - if (cp[4] == ':' || cp[4] == '=') { -- f = fopen(&cp[5], (cp[4] == ':') ? "a+" : "w"); -+ f = WRITABLEFOPEN(&cp[5], (cp[4] == ':') ? "a+" : "w"); - if (f) { - log_control.log_entries[i].lfu_filep = f; - log_control.log_entries[i].log_type = K_LOG_FILE; -@@ -959,7 +959,7 @@ - * In case the old logfile did not get moved out of the - * way, open for append to prevent squashing the old logs. - */ -- f = fopen(log_control.log_entries[lindex].lfu_fname, "a+"); -+ f = WRITABLEFOPEN(log_control.log_entries[lindex].lfu_fname, "a+"); - if (f) { - log_control.log_entries[lindex].lfu_filep = f; - } else { -diff -ur krb5-1.6.3/src/lib/kdb/kdb_default.c krb5-1.6.3/src/lib/kdb/kdb_default.c ---- krb5-1.6.3/src/lib/kdb/kdb_default.c 2006-10-11 22:39:14.000000000 -0400 -+++ krb5-1.6.3/src/lib/kdb/kdb_default.c 2008-03-06 18:31:18.000000000 -0500 -@@ -161,9 +161,9 @@ - oumask = umask(077); - #endif - #ifdef ANSI_STDIO -- if (!(kf = fopen(keyfile, "wb"))) -+ if (!(kf = WRITABLEFOPEN(keyfile, "wb"))) - #else -- if (!(kf = fopen(keyfile, "w"))) -+ if (!(kf = WRITABLEFOPEN(keyfile, "w"))) - #endif - { - int e = errno; -diff -ur krb5-1.6.3/src/lib/krb4/klog.c krb5-1.6.3/src/lib/krb4/klog.c ---- krb5-1.6.3/src/lib/krb4/klog.c 2006-03-11 17:23:28.000000000 -0500 -+++ krb5-1.6.3/src/lib/krb4/klog.c 2008-03-06 18:48:01.000000000 -0500 -@@ -24,6 +24,7 @@ - * or implied warranty. - */ - -+#include "k5-int.h" - #include "krb.h" - #include "autoconf.h" - #ifdef HAVE_TIME_H -@@ -96,7 +97,7 @@ - if (!logtype_array[type]) - return(logtxt); - -- if ((logfile = fopen(log_name,"a")) == NULL) -+ if ((logfile = WRITABLEFOPEN(log_name,"a")) == NULL) - return(logtxt); - - (void) time(&now); -diff -ur krb5-1.6.3/src/lib/krb4/kparse.c krb5-1.6.3/src/lib/krb4/kparse.c ---- krb5-1.6.3/src/lib/krb4/kparse.c 2006-06-16 02:58:42.000000000 -0400 -+++ krb5-1.6.3/src/lib/krb4/kparse.c 2008-03-06 18:35:18.000000000 -0500 -@@ -583,7 +583,7 @@ - FILE *fp; - - if (--argc) { -- fp = fopen(*++argv,"ra"); -+ fp = WRITABLEOPEN(*++argv,"ra"); - if (fp == (FILE *)NULL) { - fprintf(stderr,"can\'t open \"%s\"\n",*argv); - } -diff -ur krb5-1.6.3/src/lib/krb4/log.c krb5-1.6.3/src/lib/krb4/log.c ---- krb5-1.6.3/src/lib/krb4/log.c 2006-03-11 17:23:28.000000000 -0500 -+++ krb5-1.6.3/src/lib/krb4/log.c 2008-03-06 18:47:49.000000000 -0500 -@@ -30,6 +30,7 @@ - krb_set_logfile, or change all the invokers. */ - #endif - -+#include "k5-int.h" - #include "krb.h" - #include "autoconf.h" - #ifdef HAVE_TIME_H -@@ -79,7 +80,7 @@ - - va_start(args, format); - -- if ((logfile = fopen(log_name,"a")) != NULL) { -+ if ((logfile = WRITABLEFOPEN(log_name,"a")) != NULL) { - (void) time(&now); - tm = localtime(&now); - -diff -ur krb5-1.6.3/src/lib/krb5/keytab/kt_file.c krb5-1.6.3/src/lib/krb5/keytab/kt_file.c ---- krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2007-08-31 17:38:41.000000000 -0400 -+++ krb5-1.6.3/src/lib/krb5/keytab/kt_file.c 2008-03-06 18:19:56.000000000 -0500 -@@ -1062,7 +1062,7 @@ - - KTCHECKLOCK(id); - errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), - (mode == KRB5_LOCKMODE_EXCLUSIVE) ? - fopen_mode_rbplus : fopen_mode_rb); - if (!KTFILEP(id)) { -@@ -1070,7 +1070,7 @@ - /* try making it first time around */ - krb5_create_secure_file(context, KTFILENAME(id)); - errno = 0; -- KTFILEP(id) = fopen(KTFILENAME(id), fopen_mode_rbplus); -+ KTFILEP(id) = WRITABLEFOPEN(KTFILENAME(id), fopen_mode_rbplus); - if (!KTFILEP(id)) - return errno ? errno : EMFILE; - writevno = 1; -diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c ---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2000-07-02 23:43:42.000000000 -0400 -+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/btree/bt_open.c 2008-03-06 18:27:37.000000000 -0500 -@@ -58,6 +58,7 @@ - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "btree.h" - -@@ -201,7 +202,7 @@ - goto einval; - } - -- if ((t->bt_fd = open(fname, flags | O_BINARY, mode)) < 0) -+ if ((t->bt_fd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - goto err; - - } else { -diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c ---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2006-06-14 22:35:44.000000000 -0400 -+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/hash/hash.c 2008-03-06 18:29:17.000000000 -0500 -@@ -51,6 +51,7 @@ - #include - #endif - -+#include "k5-int.h" - #include "db-int.h" - #include "hash.h" - #include "page.h" -@@ -140,7 +141,7 @@ - new_table = 1; - } - if (file) { -- if ((hashp->fp = open(file, flags|O_BINARY, mode)) == -1) -+ if ((hashp->fp = THREEPARAMOPEN(file, flags|O_BINARY, mode)) == -1) - RETURN_ERROR(errno, error0); - (void)fcntl(hashp->fp, F_SETFD, 1); - } -diff -ur krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c ---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 1998-01-21 11:33:31.000000000 -0500 -+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/recno/rec_open.c 2008-03-06 18:27:01.000000000 -0500 -@@ -51,6 +51,7 @@ - #include - #include - -+#include "k5-int.h" - #include "db-int.h" - #include "recno.h" - -@@ -68,7 +69,7 @@ - int rfd, sverrno; - - /* Open the user's file -- if this fails, we're done. */ -- if (fname != NULL && (rfd = open(fname, flags | O_BINARY, mode)) < 0) -+ if (fname != NULL && (rfd = THREEPARAMOPEN(fname, flags | O_BINARY, mode)) < 0) - return (NULL); - - /* Create a btree in memory (backed by disk). */ ---- krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:41.000000000 -0400 -+++ krb5-1.6.3/src/plugins/kdb/db2/kdb_db2.c 2008-07-11 11:10:45.000000000 -0400 -@@ -326,8 +326,8 @@ - * should be opened read/write so that write locking can work with - * POSIX systems - */ -- if ((db_ctx->db_lf_file = open(filename, O_RDWR, 0666)) < 0) { -- if ((db_ctx->db_lf_file = open(filename, O_RDONLY, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDWR, 0666)) < 0) { -+ if ((db_ctx->db_lf_file = THREEPARAMOPEN(filename, O_RDONLY, 0666)) < 0) { - retval = errno; - goto err_out; - } -diff -ur krb5-1.6.3/src/util/profile/prof_file.c krb5-1.6.3/src/util/profile/prof_file.c ---- krb5-1.6.3/src/util/profile/prof_file.c 2005-10-21 16:03:44.000000000 -0400 -+++ krb5-1.6.3/src/util/profile/prof_file.c 2008-03-06 19:02:44.000000000 -0500 -@@ -29,6 +29,7 @@ - #endif - - #include "k5-platform.h" -+#include "k5-label.h" - - struct global_shared_profile_data { - /* This is the head of the global list of shared trees */ -@@ -419,7 +420,7 @@ - - errno = 0; - -- f = fopen(new_file, "w"); -+ f = WRITABLEFOPEN(new_file, "w"); - if (!f) { - retval = errno; - if (retval == 0) -diff -ur krb5-1.6.3/src/util/support/libkrb5support.exports krb5-1.6.3/src/util/support/libkrb5support.exports ---- krb5-1.6.3/src/util/support/libkrb5support.exports 2006-05-04 14:35:01.000000000 -0400 -+++ krb5-1.6.3/src/util/support/libkrb5support.exports 2008-03-06 17:33:30.000000000 -0500 -@@ -32,3 +32,6 @@ - krb5int_clear_error - krb5int_set_error_info_callout_fn - krb5int_gmt_mktime -+krb5int_labeled_open -+krb5int_labeled_fopen -+krb5int_labeled_creat -diff -ur krb5-1.6.3/src/util/support/Makefile.in krb5-1.6.3/src/util/support/Makefile.in ---- krb5-1.6.3/src/util/support/Makefile.in 2006-10-17 23:15:24.000000000 -0400 -+++ krb5-1.6.3/src/util/support/Makefile.in 2008-03-06 17:33:30.000000000 -0500 -@@ -27,6 +27,7 @@ - - STLIBOBJS= \ - threads.o \ -+ selinux.o \ - init-addrinfo.o \ - plugins.o \ - errors.o \ -@@ -55,7 +56,7 @@ - $(srcdir)/fake-addrinfo.c - SHLIB_EXPDEPS = - # Add -lm if dumping thread stats, for sqrt. --SHLIB_EXPLIBS= $(LIBS) $(DL_LIB) -+SHLIB_EXPLIBS= $(LIBS) $(SELINUX_LIBS) $(DL_LIB) - SHLIB_DIRS= - SHLIB_RDIRS=$(KRB5_LIBDIR) - ---- krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:37.000000000 -0500 -+++ krb5-1.6.3/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2008-03-06 19:20:28.000000000 -0500 -@@ -1083,7 +1083,7 @@ - - /* Create a temporary file which contains all the entries except the - entry for the given service dn */ -- pfile = fopen(file_name, "r+"); -+ pfile = WRITABLEFOPEN(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "while deleting entry from file %s", file_name); - goto cleanup; -@@ -1764,7 +1764,7 @@ - - /* TODO: file lock for the service password file */ - /* set password in the file */ -- pfile = fopen(file_name, "r+"); -+ pfile = WRITABLEFOPEN(file_name, "r+"); - if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s", file_name); - goto cleanup; -@@ -1806,7 +1806,7 @@ - sprintf(tmp_file,"%s.%s",file_name,"tmp"); - - omask = umask(077); -- newfile = fopen(tmp_file, "w+"); -+ newfile = WRITABLEFOPEN(tmp_file, "w+"); - umask(omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); -@@ -2031,7 +2031,7 @@ - - /* set password in the file */ - old_mode = umask(0177); -- pfile = fopen(file_name, "a+"); -+ pfile = WRITABLEFOPEN(file_name, "a+"); - if (pfile == NULL) { - com_err(me, errno, "Failed to open file %s: %s", file_name, - strerror (errno)); -@@ -2082,7 +2082,7 @@ - sprintf(tmp_file,"%s.%s",file_name,"tmp"); - - omask = umask(077); -- newfile = fopen(tmp_file, "w"); -+ newfile = WRITABLEFOPEN(tmp_file, "w"); - umask (omask); - if (newfile == NULL) { - com_err(me, errno, "Error creating file %s", tmp_file); ---- krb5-1.6.3/src/util/support/selinux.c 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.3/src/util/support/selinux.c 2007-08-24 23:38:39.000000000 -0400 -@@ -0,0 +1,275 @@ -+/* -+ * Copyright 2007,2008 Red Hat, Inc. All Rights Reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions are met: -+ * -+ * Redistributions of source code must retain the above copyright notice, this -+ * list of conditions and the following disclaimer. -+ * -+ * Redistributions in binary form must reproduce the above copyright notice, -+ * this list of conditions and the following disclaimer in the documentation -+ * and/or other materials provided with the distribution. -+ * -+ * Neither the name of Red Hat, Inc. nor the names of its contributors may be -+ * used to endorse or promote products derived from this software without -+ * specific prior written permission. -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -+ * POSSIBILITY OF SUCH DAMAGE. -+ * -+ * File-opening wrappers for creating correctly-labeled files. So far, we can -+ * assume that this is Linux-specific, so we make many simplifying assumptions. -+ */ -+ -+#include "../../include/autoconf.h" -+ -+#ifdef USE_SELINUX -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* #define DEBUG 1 */ -+ -+/* Mutex used to serialize use of the process-global file creation context. */ -+k5_mutex_t labeled_mutex = K5_MUTEX_PARTIAL_INITIALIZER; -+ -+/* Make sure we finish initializing that mutex before attempting to use it. */ -+k5_once_t labeled_once = K5_ONCE_INIT; -+static void -+label_mutex_init(void) -+{ -+ k5_mutex_finish_init(&labeled_mutex); -+} -+ -+static security_context_t -+push_fscreatecon(const char *pathname, mode_t mode) -+{ -+ security_context_t previous, next; -+ const char *fullpath; -+ -+ previous = NULL; -+ if (is_selinux_enabled()) { -+ if (getfscreatecon(&previous) == 0) { -+ char *genpath; -+ genpath = NULL; -+ if (pathname[0] != '/') { -+ char *wd; -+ size_t len; -+ len = 0; -+ wd = getcwd(NULL, len); -+ if (wd == NULL) { -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ len = strlen(wd) + 1 + strlen(pathname) + 1; -+ genpath = malloc(len); -+ if (genpath == NULL) { -+ free(wd); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ sprintf(genpath, "%s/%s", wd, pathname); -+ free(wd); -+ fullpath = genpath; -+ } else { -+ fullpath = pathname; -+ } -+ next = NULL; -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Looking up context for " -+ "\"%s\"(%05o).\n", fullpath, mode); -+ } -+#endif -+ if (matchpathcon(fullpath, mode, &next) != 0) { -+ free(genpath); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ free(genpath); -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Setting file creation context " -+ "to \"%s\".\n", next); -+ } -+#endif -+ if (setfscreatecon(next) != 0) { -+ freecon(next); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ return NULL; -+ } -+ freecon(next); -+#ifdef DEBUG -+ } else { -+ if (isatty(fileno(stderr))) { -+ fprintf(stderr, "Unable to determine " -+ "current context.\n"); -+ } -+#endif -+ } -+ } -+ return previous; -+} -+ -+static void -+pop_fscreatecon(security_context_t previous) -+{ -+ if (is_selinux_enabled()) { -+#ifdef DEBUG -+ if (isatty(fileno(stderr))) { -+ if (previous != NULL) { -+ fprintf(stderr, "Resetting file creation " -+ "context to \"%s\".\n", previous); -+ } else { -+ fprintf(stderr, "Resetting file creation " -+ "context to default.\n"); -+ } -+ } -+#endif -+ setfscreatecon(previous); -+ if (previous != NULL) { -+ freecon(previous); -+ } -+ } -+} -+ -+FILE * -+krb5int_labeled_fopen(const char *path, const char *mode) -+{ -+ FILE *fp; -+ int errno_save; -+ security_context_t ctx; -+ -+ if (strcmp(mode, "r") == 0) { -+ return fopen(path, mode); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fp = fopen(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ -+ errno = errno_save; -+ return fp; -+} -+ -+int -+krb5int_labeled_creat(const char *path, mode_t mode) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ fd = creat(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ -+ errno = errno_save; -+ return fd; -+} -+ -+int -+krb5int_labeled_mknod(const char *path, mode_t mode, dev_t dev) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, mode); -+ ret = mknod(path, mode, dev); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_mkdir(const char *path, mode_t mode) -+{ -+ int ret; -+ int errno_save; -+ security_context_t ctx; -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, S_IFDIR); -+ ret = mkdir(path, mode); -+ errno_save = errno; -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ -+ errno = errno_save; -+ return ret; -+} -+ -+int -+krb5int_labeled_open(const char *path, int flags, ...) -+{ -+ int fd; -+ int errno_save; -+ security_context_t ctx; -+ mode_t mode; -+ va_list ap; -+ -+ if ((flags & O_CREAT) == 0) { -+ return open(path, flags); -+ } -+ -+ k5_once(&labeled_once, label_mutex_init); -+ k5_mutex_lock(&labeled_mutex); -+ ctx = push_fscreatecon(path, 0); -+ -+ va_start(ap, flags); -+ mode = va_arg(ap, mode_t); -+ fd = open(path, flags, mode); -+ va_end(ap); -+ -+ errno_save = errno; -+ -+ pop_fscreatecon(ctx); -+ k5_mutex_unlock(&labeled_mutex); -+ return fd; -+} -+ -+#endif ---- krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:19:00.000000000 -0400 -+++ krb5-1.6.3/src/include/k5-label.h 2007-08-25 03:00:02.000000000 -0400 -@@ -0,0 +1,27 @@ -+#ifndef _KRB5_LABEL_H -+#define _KRB5_LABEL_H -+ -+#ifdef THREEPARAMOPEN -+#undef THREEPARAMOPEN -+#endif -+ -+/* Wrapper functions which help us create files and directories with the right -+ * context labels. */ -+#ifdef USE_SELINUX -+#include -+#include -+#include -+#include -+#include -+FILE *krb5int_labeled_fopen(const char *path, const char *mode); -+int krb5int_labeled_creat(const char *path, mode_t mode); -+int krb5int_labeled_open(const char *path, int flags, ...); -+int krb5int_labeled_mkdir(const char *path, mode_t mode); -+int krb5int_labeled_mknod(const char *path, mode_t mode, dev_t device); -+#define THREEPARAMOPEN(x,y,z) krb5int_labeled_open(x,y,z) -+#define WRITABLEFOPEN(x,y) krb5int_labeled_fopen(x,y) -+#else -+#define WRITABLEFOPEN(x,y) fopen(x,y) -+#define THREEPARAMOPEN(x,y,z) open(x,y,z) -+#endif -+#endif ---- krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:41.000000000 -0500 -+++ krb5-1.6.3/src/plugins/kdb/db2/libdb2/test/Makefile.in 2009-02-19 16:10:44.000000000 -0500 -@@ -14,7 +14,8 @@ PROG_RPATH=$(KRB5_LIBDIR) - - KRB5_RUN_ENV= @KRB5_RUN_ENV@ - --DB_LIB = -ldb -+DB_LIB = -ldb $(SUPPORT_DEPLIB) -+ - DB_DEPLIB = ../libdb$(DEPLIBEXT) - - all:: diff --git a/krb5-CVE-2007-5901.patch b/krb5-CVE-2007-5901.patch deleted file mode 100644 index 06b5b8f..0000000 --- a/krb5-CVE-2007-5901.patch +++ /dev/null @@ -1,13 +0,0 @@ -Patch for CVE-2007-5901, pulled from SVN per #415321. -diff -up src/lib/gssapi/mechglue/g_initialize.c src/lib/gssapi/mechglue/g_initialize.c ---- src/lib/gssapi/mechglue/g_initialize.c 2008-03-04 16:29:13.000000000 -0500 -+++ src/lib/gssapi/mechglue/g_initialize.c 2008-03-04 16:29:16.000000000 -0500 -@@ -210,7 +210,7 @@ gss_OID_set *mechSet; - free((*mechSet)->elements[j].elements); - } - free((*mechSet)->elements); -- free(mechSet); -+ free(*mechSet); - *mechSet = NULL; - return (GSS_S_FAILURE); - } diff --git a/krb5-CVE-2007-5971.patch b/krb5-CVE-2007-5971.patch deleted file mode 100644 index 234cf41..0000000 --- a/krb5-CVE-2007-5971.patch +++ /dev/null @@ -1,12 +0,0 @@ -Patch for CVE-2007-5971, pulled from SVN per #415351. -diff -up src/lib/gssapi/krb5/k5sealv3.c src/lib/gssapi/krb5/k5sealv3.c ---- src/lib/gssapi/krb5/k5sealv3.c 2008-03-04 16:22:29.000000000 -0500 -+++ src/lib/gssapi/krb5/k5sealv3.c 2008-03-04 16:22:22.000000000 -0500 -@@ -248,7 +248,6 @@ gss_krb5int_make_seal_token_v3 (krb5_con - plain.data = 0; - if (err) { - zap(outbuf,bufsize); -- free(outbuf); - goto error; - } - if (sum.length != ctx->cksum_size) diff --git a/krb5-CVE-2008-0062,0063.patch b/krb5-CVE-2008-0062,0063.patch deleted file mode 100644 index aba0e4a..0000000 --- a/krb5-CVE-2008-0062,0063.patch +++ /dev/null @@ -1,339 +0,0 @@ -Patch from MITKRB5-SA-2008-001. -Index: src/kdc/dispatch.c -=================================================================== ---- src/kdc/dispatch.c (revision 20192) -+++ src/kdc/dispatch.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/dispatch.c - * -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -107,7 +107,7 @@ - retval = KRB5KRB_AP_ERR_MSG_TYPE; - #ifndef NOCACHE - /* put the response into the lookaside buffer */ -- if (!retval) -+ if (!retval && *response != NULL) - kdc_insert_lookaside(pkt, *response); - #endif - -Index: src/kdc/kerberos_v4.c -=================================================================== ---- src/kdc/kerberos_v4.c (revision 20192) -+++ src/kdc/kerberos_v4.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/kerberos_v4.c - * -- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute -+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * -@@ -87,11 +87,6 @@ - #define MSB_FIRST 0 /* 68000, IBM RT/PC */ - #define LSB_FIRST 1 /* Vax, PC8086 */ - --int f; -- --/* XXX several files in libkdb know about this */ --char *progname; -- - #ifndef BACKWARD_COMPAT - static Key_schedule master_key_schedule; - static C_Block master_key; -@@ -143,10 +138,8 @@ - #include "com_err.h" - #include "extern.h" /* to pick up master_princ */ - --static krb5_data *response; -- --void kerberos_v4 (struct sockaddr_in *, KTEXT); --void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); -+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); - static int set_tgtkey (char *, krb5_kvno, krb5_boolean); - - /* Attributes converted from V5 to V4 - internal representation */ -@@ -262,12 +255,12 @@ - (void) klog(L_KRB_PERR, "V4 request too long."); - return KRB5KRB_ERR_FIELD_TOOLONG; - } -+ memset( &v4_pkt, 0, sizeof(v4_pkt)); - v4_pkt.length = pkt->length; - v4_pkt.mbz = 0; - memcpy( v4_pkt.dat, pkt->data, pkt->length); - -- kerberos_v4( &client_sockaddr, &v4_pkt); -- *resp = response; -+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); - return(retval); - } - -@@ -300,19 +293,20 @@ - } - - static --int krb4_sendto(int s, const char *msg, int len, int flags, -- const struct sockaddr *to, int to_len) -+krb5_data *make_response(const char *msg, int len) - { -+ krb5_data *response; -+ - if ( !(response = (krb5_data *) malloc( sizeof *response))) { -- return ENOMEM; -+ return 0; - } - if ( !(response->data = (char *) malloc( len))) { - krb5_free_data(kdc_context, response); -- return ENOMEM; -+ return 0; - } - response->length = len; - memcpy( response->data, msg, len); -- return( 0); -+ return response; - } - static void - hang(void) -@@ -586,7 +580,7 @@ - *cp = 0; - } - --void -+static krb5_data * - kerberos_v4(struct sockaddr_in *client, KTEXT pkt) - { - static KTEXT_ST rpkt_st; -@@ -599,8 +593,8 @@ - KTEXT auth = &auth_st; - AUTH_DAT ad_st; - AUTH_DAT *ad = &ad_st; -+ krb5_data *response = 0; - -- - static struct in_addr client_host; - static int msg_byte_order; - static int swap_bytes; -@@ -637,8 +631,7 @@ - inet_ntoa(client_host)); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - - /* check packet version */ -@@ -648,8 +641,7 @@ - KRB_PROT_VERSION, req_version, 0); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - msg_byte_order = req_msg_type & 1; - -@@ -707,10 +699,10 @@ - - if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, - &a_name_data, &k5key, 0, &ck5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_low = a_name_data.key_high = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* don't use k5key for client */ - krb5_free_keyblock_contents(kdc_context, &k5key); -@@ -722,11 +714,11 @@ - /* this does all the checking */ - if ((i = check_princ(service, instance, lifetime, - &s_name_data, &k5key, 1, &sk5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_high = a_name_data.key_low = 0; - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); -@@ -797,8 +789,7 @@ - rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, - req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, - a_name_data.key_version, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&a_name_data, 0, sizeof(a_name_data)); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; -@@ -824,9 +815,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with realm length too long from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "realm length too long"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "realm length too long"); - } - - auth->length += (int) *(pkt->dat + auth->length) + -@@ -835,9 +825,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with funky tkt or req_id length from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "funky tkt or req_id length"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "funky tkt or req_id length"); - } - - memcpy(auth->dat, pkt->dat, auth->length); -@@ -848,18 +837,16 @@ - if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { - lt = klog(L_ERR_UNK, - "Cross realm ticket from %s denied by policy,", tktrlm); -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - if (set_tgtkey(tktrlm, kvno, 0)) { -- lt = klog(L_ERR_UNK, -+ lt = klog(L_ERR_UNK, - "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -869,9 +856,8 @@ - "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -881,8 +867,7 @@ - klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", - inet_ntoa(client_host), krb_get_err_text(kerno)); - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); -- return; -+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - } - ptr = (char *) pkt->dat + auth->length; - -@@ -904,22 +889,21 @@ - req_realm_ptr = ad->prealm; - - if (strcmp(ad->prealm, tktrlm)) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't hop realms"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't hop realms"); - } - if (!strcmp(service, "changepw")) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't authorize password changed based on TGT"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't authorize password changed based on TGT"); - } - kerno = check_princ(service, instance, req_life, - &s_name_data, &k5key, 1, &sk5life); - if (kerno) { -- kerb_err_reply(client, pkt, kerno, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, kerno, -+ "check_princ failed"); - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); -@@ -975,8 +959,7 @@ - rpkt = create_auth_reply(ad->pname, ad->pinst, - ad->prealm, time_ws, - 0, 0, 0, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; - } -@@ -1001,6 +984,7 @@ - break; - } - } -+ return response; - } - - -@@ -1010,7 +994,7 @@ - * client. - */ - --void -+static krb5_data * - kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) - { - static KTEXT_ST e_pkt_st; -@@ -1021,9 +1005,7 @@ - strncat(e_msg, string, sizeof(e_msg) - 1 - 19); - cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, - req_time_ws, err, e_msg); -- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -- -+ return make_response((char *) e_pkt->dat, e_pkt->length); - } - - static int -Index: src/kdc/network.c -=================================================================== ---- src/kdc/network.c (revision 20192) -+++ src/kdc/network.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/network.c - * -- * Copyright 1990,2000 by the Massachusetts Institute of Technology. -+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -747,6 +747,8 @@ - com_err(prog, retval, "while dispatching (udp)"); - return; - } -+ if (response == NULL) -+ return; - cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len); - if (cc == -1) { - diff --git a/krb5-CVE-2008-0947.patch b/krb5-CVE-2008-0947.patch deleted file mode 100644 index 951f7ce..0000000 --- a/krb5-CVE-2008-0947.patch +++ /dev/null @@ -1,75 +0,0 @@ -Patch from MITKRB5-SA-2008-002. -=== src/lib/rpc/svc.c -================================================================== ---- src/lib/rpc/svc.c (revision 1666) -+++ src/lib/rpc/svc.c (local) -@@ -109,15 +109,17 @@ - if (sock < FD_SETSIZE) { - xports[sock] = xprt; - FD_SET(sock, &svc_fdset); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #else - if (sock < NOFILE) { - xports[sock] = xprt; - svc_fds |= (1 << sock); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #endif /* def FD_SETSIZE */ -- if (sock > svc_maxfd) -- svc_maxfd = sock; - } - - /* -=== src/lib/rpc/svc_tcp.c -================================================================== ---- src/lib/rpc/svc_tcp.c (revision 1666) -+++ src/lib/rpc/svc_tcp.c (local) -@@ -54,6 +54,14 @@ - extern errno; - */ - -+#ifndef FD_SETSIZE -+#ifdef NBBY -+#define NOFILE (sizeof(int) * NBBY) -+#else -+#define NOFILE (sizeof(int) * 8) -+#endif -+#endif -+ - /* - * Ops vector for TCP/IP based rpc service handle - */ -@@ -215,6 +223,19 @@ - register SVCXPRT *xprt; - register struct tcp_conn *cd; - -+#ifdef FD_SETSIZE -+ if (fd >= FD_SETSIZE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#else -+ if (fd >= NOFILE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#endif - xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); - if (xprt == (SVCXPRT *)NULL) { - (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); -@@ -271,6 +292,10 @@ - * make a new transporter (re-uses xprt) - */ - xprt = makefd_xprt(sock, r->sendsize, r->recvsize); -+ if (xprt == NULL) { -+ close(sock); -+ return (FALSE); -+ } - xprt->xp_raddr = addr; - xprt->xp_addrlen = len; - xprt->xp_laddr = laddr; diff --git a/krb5-CVE-2009-0844-0845-2.patch b/krb5-CVE-2009-0844-0845-2.patch deleted file mode 100644 index a34658b..0000000 --- a/krb5-CVE-2009-0844-0845-2.patch +++ /dev/null @@ -1,157 +0,0 @@ -diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c -index 832abe6..4384708 100644 ---- a/src/lib/gssapi/spnego/spnego_mech.c -+++ b/src/lib/gssapi/spnego/spnego_mech.c -@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const; - - /* der routines defined in libgss */ - extern unsigned int gssint_der_length_size(OM_uint32); --extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); --extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); -+extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); -+extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); - - - /* private routines for spnego_mechanism */ -@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct, - } - cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : GSS_C_NO_OID, - &mechtok_out, mic_out, - return_token, - output_token); -@@ -1802,22 +1803,16 @@ static gss_buffer_t - get_input_token(unsigned char **buff_in, unsigned int buff_length) - { - gss_buffer_t input_token; -- unsigned int bytes; -+ unsigned int len; - -- if (**buff_in != OCTET_STRING) -+ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) - return (NULL); - -- (*buff_in)++; - input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); -- - if (input_token == NULL) - return (NULL); - -- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); -- if ((int)input_token->length == -1) { -- free(input_token); -- return (NULL); -- } -+ input_token->length = len; - input_token->value = malloc(input_token->length); - - if (input_token->value == NULL) { -@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, - { - gss_OID_set returned_mechSet; - OM_uint32 major_status; -- OM_uint32 length; -- OM_uint32 bytes; -+ int length; -+ unsigned int bytes; - OM_uint32 set_length; - unsigned char *start; - int i; -@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, - (*buff_in)++; - - length = gssint_get_der_length(buff_in, buff_length, &bytes); -+ if (length < 0 || buff_length - bytes < (unsigned int)length) -+ return NULL; - - major_status = gss_create_empty_oid_set(minor_status, - &returned_mechSet); - if (major_status != GSS_S_COMPLETE) - return (NULL); - -- for (set_length = 0, i = 0; set_length < length; i++) { -+ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { - gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, - buff_length - (*buff_in - start)); -- if (temp != NULL) { -- major_status = gss_add_oid_set_member(minor_status, -- temp, &returned_mechSet); -- if (major_status == GSS_S_COMPLETE) { -+ if (temp == NULL) -+ break; -+ -+ major_status = gss_add_oid_set_member(minor_status, -+ temp, &returned_mechSet); -+ if (major_status == GSS_S_COMPLETE) { - set_length += returned_mechSet->elements[i].length +2; - generic_gss_release_oid(minor_status, &temp); -- } - } - } - -@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status, - return GSS_S_DEFECTIVE_TOKEN; - if (*ptr++ == SEQUENCE) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - } - if (REMAIN < 1) -@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status, - - if (tag == CONTEXT) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - if (g_get_tag_and_length(&ptr, ENUMERATED, -@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x01)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); -@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x02)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *responseToken = get_input_token(&ptr, REMAIN); -@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x03)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *mechListMIC = get_input_token(&ptr, REMAIN); -@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, - - if (outbuf == GSS_C_NO_BUFFER) - return (GSS_S_DEFECTIVE_TOKEN); -+ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) -+ return (GSS_S_DEFECTIVE_TOKEN); - - outbuf->length = 0; - outbuf->value = NULL; -@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag, - &encoded_len); - if (tmplen < 0) { - ret = -1; -- } else if (tmplen > buflen - (ptr - *buf)) { -+ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { - ret = -1; - } else - ret = 0; diff --git a/krb5-CVE-2009-0846.patch b/krb5-CVE-2009-0846.patch deleted file mode 100644 index a2dc1fa..0000000 --- a/krb5-CVE-2009-0846.patch +++ /dev/null @@ -1,39 +0,0 @@ -diff --git a/src/lib/krb5/asn.1/asn1_decode.c b/src/lib/krb5/asn.1/asn1_decode.c -index aa4be32..5f7461d 100644 ---- a/src/lib/krb5/asn.1/asn1_decode.c -+++ b/src/lib/krb5/asn.1/asn1_decode.c -@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) - - if(length != 15) return ASN1_BAD_LENGTH; - retval = asn1buf_remove_charstring(buf,15,&s); -+ if (retval) return retval; - /* Time encoding: YYYYMMDDhhmmssZ */ - if(s[14] != 'Z') { - free(s); -diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c -index 0ff9343..1c427d1 100644 ---- a/src/tests/asn.1/krb5_decode_test.c -+++ b/src/tests/asn.1/krb5_decode_test.c -@@ -485,6 +485,22 @@ int main(argc, argv) - ktest_destroy_keyblock(&(ref.subkey)); - ref.seq_number = 0; - decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); -+ -+ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); -+ if (retval) { -+ com_err("krb5_decode_test", retval, "while parsing"); -+ exit(1); -+ } -+ retval = decode_krb5_ap_rep_enc_part(&code, &var); -+ if (retval != ASN1_OVERRUN) { -+ printf("ERROR: "); -+ } else { -+ printf("OK: "); -+ } -+ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); -+ krb5_free_data_contents(test_context, &code); -+ if (var) krb5_free_ap_rep_enc_part(test_context, var); -+ - ktest_empty_ap_rep_enc_part(&ref); - } - diff --git a/krb5-CVE-2009-0847.patch b/krb5-CVE-2009-0847.patch deleted file mode 100644 index 45b3041..0000000 --- a/krb5-CVE-2009-0847.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c -index 8baac24..587cccc 100644 ---- a/src/lib/krb5/asn.1/asn1buf.c -+++ b/src/lib/krb5/asn.1/asn1buf.c -@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code) - - asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) - { -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - subbuf->base = subbuf->next = buf->next; - if (!indef) { -+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; - subbuf->bound = subbuf->base + length - 1; -- if (subbuf->bound > buf->bound) -- return ASN1_OVERRUN; - } else /* constructed indefinite */ - subbuf->bound = buf->bound; - return 0; -@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len, - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; -@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len, - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; diff --git a/krb5-MITKRB5SA-2005-001.patch b/krb5-MITKRB5SA-2005-001.patch deleted file mode 100644 index cc40c4c..0000000 --- a/krb5-MITKRB5SA-2005-001.patch +++ /dev/null @@ -1,95 +0,0 @@ -Index: telnet.c -=================================================================== -RCS file: /cvs/krbdev/krb5/src/appl/telnet/telnet/telnet.c,v -retrieving revision 5.18 -diff -c -r5.18 telnet.c -*** telnet.c 15 Nov 2002 20:21:35 -0000 5.18 -- --- telnet.c 15 Mar 2005 18:59:32 -0000 -*************** -*** 1475,1480 **** -- --- 1475,1482 ---- - unsigned char flags; - cc_t value; - { -+ if ((slc_replyp - slc_reply) + 6 > sizeof(slc_reply)) -+ return; - if ((*slc_replyp++ = func) == IAC) - *slc_replyp++ = IAC; - if ((*slc_replyp++ = flags) == IAC) -*************** -*** 1488,1498 **** - { - register int len; - -- - *slc_replyp++ = IAC; -- - *slc_replyp++ = SE; - len = slc_replyp - slc_reply; -! if (len <= 6) - return; - if (NETROOM() > len) { - ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); - printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); -- --- 1490,1501 ---- - { - register int len; - - len = slc_replyp - slc_reply; -! if (len <= 4 || (len + 2 > sizeof(slc_reply))) - return; -+ *slc_replyp++ = IAC; -+ *slc_replyp++ = SE; -+ len += 2; - if (NETROOM() > len) { - ring_supply_data(&netoring, slc_reply, slc_replyp - slc_reply); - printsub('>', &slc_reply[2], slc_replyp - slc_reply - 2); -*************** -*** 1645,1650 **** -- --- 1648,1654 ---- - register unsigned char *ep; - { - register unsigned char *vp, c; -+ unsigned int len, olen, elen; - - if (opt_reply == NULL) /*XXX*/ - return; /*XXX*/ -*************** -*** 1662,1680 **** - return; - } - vp = env_getvalue(ep); -! if (opt_replyp + (vp ? strlen((char *)vp) : 0) + -! strlen((char *)ep) + 6 > opt_replyend) - { -! register unsigned int len; -! opt_replyend += OPT_REPLY_SIZE; -! len = opt_replyend - opt_reply; - opt_reply = (unsigned char *)realloc(opt_reply, len); - if (opt_reply == NULL) { - /*@*/ printf("env_opt_add: realloc() failed!!!\n"); - opt_reply = opt_replyp = opt_replyend = NULL; - return; - } -! opt_replyp = opt_reply + len - (opt_replyend - opt_replyp); - opt_replyend = opt_reply + len; - } - if (opt_welldefined((char *) ep)) -- --- 1666,1684 ---- - return; - } - vp = env_getvalue(ep); -! elen = 2 * (vp ? strlen((char *)vp) : 0) + -! 2 * strlen((char *)ep) + 6; -! if ((opt_replyend - opt_replyp) < elen) - { -! len = opt_replyend - opt_reply + elen; -! olen = opt_replyp - opt_reply; - opt_reply = (unsigned char *)realloc(opt_reply, len); - if (opt_reply == NULL) { - /*@*/ printf("env_opt_add: realloc() failed!!!\n"); - opt_reply = opt_replyp = opt_replyend = NULL; - return; - } -! opt_replyp = opt_reply + olen; - opt_replyend = opt_reply + len; - } - if (opt_welldefined((char *) ep)) diff --git a/krb5-any-fixup-patch.txt b/krb5-any-fixup-patch.txt deleted file mode 100644 index fe16dc2..0000000 --- a/krb5-any-fixup-patch.txt +++ /dev/null @@ -1,22 +0,0 @@ -Index: kt_srvtab.c -=================================================================== -RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/lib/krb5/keytab/kt_srvtab.c,v -retrieving revision 1.1.1.1 -retrieving revision 1.2 -diff -u -r1.1.1.1 -r1.2 ---- kt_srvtab.c 27 Feb 2004 04:00:00 -0000 1.1.1.1 -+++ kt_srvtab.c 27 Feb 2004 09:56:29 -0000 1.2 -@@ -117,13 +117,6 @@ - krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) - { - krb5_ktsrvtab_data *data; -- FILE *fp; -- -- /* Make sure we can open the srvtab file for reading. */ -- fp = fopen(name, "r"); -- if (!fp) -- return(errno); -- fclose(fp); - - if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) - return(ENOMEM); diff --git a/krb5-ok-as-delegate.patch b/krb5-ok-as-delegate.patch deleted file mode 100644 index ab89521..0000000 --- a/krb5-ok-as-delegate.patch +++ /dev/null @@ -1,152 +0,0 @@ -This appears to be the minimum needed to be able to set the OK-AS-DELEGATE -flag on an entry using kadmin, and to have the flag propagate back to clients -from the KDC. Note: this affects the KDB storage format, so this MUST NOT be -used until it's in upstream's tree. RT#5596. - -Index: doc/admin.texinfo -=================================================================== ---- doc/admin.texinfo (revision 19683) -+++ doc/admin.texinfo (working copy) -@@ -2758,6 +2758,13 @@ - @samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears - this flag. - -+@itemx @{-|+@}ok_as_delegate -+@code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use -+with this principal as the service, which clients may use as a hint that -+credentials can and should be delegated when authenticating to the service. -+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears -+this flag. -+ - @itemx @{-|+@}allow_svr - @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag. - -Index: src/include/kdb.h -=================================================================== ---- src/include/kdb.h (revision 19683) -+++ src/include/kdb.h (working copy) -@@ -79,6 +79,7 @@ - #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 - #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 - #define KRB5_KDB_NEW_PRINC 0x00008000 -+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 - - /* Creation flags */ - #define KRB5_KDB_CREATE_BTREE 0x00000001 -Index: src/kdc/do_tgs_req.c -=================================================================== ---- src/kdc/do_tgs_req.c (revision 19683) -+++ src/kdc/do_tgs_req.c (working copy) -@@ -533,6 +533,10 @@ - goto cleanup; - } - -+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { -+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); -+ } -+ - ticket_reply.enc_part2 = &enc_tkt_reply; - - /* -Index: src/kdc/do_as_req.c -=================================================================== ---- src/kdc/do_as_req.c (revision 19683) -+++ src/kdc/do_as_req.c (working copy) -@@ -257,6 +257,10 @@ - enc_tkt_reply.caddrs = request->addresses; - enc_tkt_reply.authorization_data = 0; - -+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) { -+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); -+ } -+ - /* - * Check the preauthentication if it is there. - */ -Index: src/kadmin/cli/kadmin.c -=================================================================== ---- src/kadmin/cli/kadmin.c (revision 19683) -+++ src/kadmin/cli/kadmin.c (working copy) -@@ -65,7 +65,8 @@ - {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, - {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, - {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, --{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } -+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, -+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } - }; - - static char *prflags[] = { -@@ -85,6 +86,7 @@ - "PWCHANGE_SERVICE", /* 0x00002000 */ - "SUPPORT_DESMD5", /* 0x00004000 */ - "NEW_PRINC", /* 0x00008000 */ -+ "OK_AS_DELEGATE" /* 0x00010000 */ - }; - - char *getenv(); -@@ -1101,6 +1103,7 @@ - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" -+ "\t\tok_as_delegate\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n"); - } -@@ -1117,6 +1120,7 @@ - "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", - "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", - "\t\trequires_hwauth needchange allow_svr password_changing_service\n" -+ "\t\tok_as_delegate\n" - "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" - "\t\t\tLook at each database documentation for supported arguments\n" - ); -Index: src/kadmin/cli/kadmin.M -=================================================================== ---- src/kadmin/cli/kadmin.M (revision 19683) -+++ src/kadmin/cli/kadmin.M (working copy) -@@ -327,6 +327,16 @@ - .B -requires_hwauth - clears this flag. - .TP -+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP -+.B +ok_as_delegate -+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal -+as the service, which clients may use as a hint that credentials can and -+should be delegated when authenticating to the service. (Sets the -+.SM KRB5_KDB_OK_AS_DELEGATE -+flag.) -+.B -ok_as_delegate -+clears this flag. -+.TP - {\fB\-\fP|\fB+\fP}\fBallow_svr\fP - .B -allow_svr - prohibits the issuance of service tickets for this principal. (Sets the -Index: src/lib/kadm5/str_conv.c -=================================================================== ---- src/lib/kadm5/str_conv.c (revision 19683) -+++ src/lib/kadm5/str_conv.c (working copy) -@@ -73,6 +73,7 @@ - static const char flags_tickets_in[] = "allow-tickets"; - static const char flags_preauth_in[] = "preauth"; - static const char flags_hwauth_in[] = "hwauth"; -+static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; - static const char flags_pwchange_in[] = "pwchange"; - static const char flags_service_in[] = "service"; - static const char flags_pwsvc_in[] = "pwservice"; -@@ -86,6 +87,7 @@ - static const char flags_tickets_out[] = "All Tickets Disallowed"; - static const char flags_preauth_out[] = "Preauthorization required"; - static const char flags_hwauth_out[] = "HW Authorization required"; -+static const char flags_ok_as_delegate_out[] = "OK as Delegate"; - static const char flags_pwchange_out[] = "Password Change required"; - static const char flags_service_out[] = "Service Disabled"; - static const char flags_pwsvc_out[] = "Password Changing Service"; -@@ -109,6 +111,7 @@ - { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, - { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, - { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, -+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, - { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, - { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, - { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, diff --git a/krb5-trunk-close-err.patch b/krb5-trunk-close-err.patch deleted file mode 100644 index 88db110..0000000 --- a/krb5-trunk-close-err.patch +++ /dev/null @@ -1,19 +0,0 @@ -Check for errors returned by close(), which is when we notice out-of-space -errors on NFS. Patch by Tomas Smetana. RT#6399 - -Index: src/appl/bsd/krcp.c -=================================================================== ---- src/appl/bsd/krcp.c (revision 22038) -+++ src/appl/bsd/krcp.c (working copy) -@@ -1115,7 +1115,10 @@ - wrerr++; - if (ftruncate(of, size)) - error("rcp: can't truncate %s: %s\n", nambuf, error_message(errno)); -- (void) close(of); -+ if (close(of) != 0) -+ { -+ error("rcp: error closing %s: %s\n", nambuf, error_message(errno)); -+ } - (void) response(); - if (setimes) { - setimes = 0; diff --git a/krb5-trunk-doublelog.patch b/krb5-trunk-doublelog.patch deleted file mode 100644 index dd60feb..0000000 --- a/krb5-trunk-doublelog.patch +++ /dev/null @@ -1,18 +0,0 @@ -Don't double-log (actually, don't process /etc/krb5.conf twice) just -because we built with --sysconfdir=/etc. RT#3277 - -Index: src/include/Makefile.in -=================================================================== ---- src/include/Makefile.in (revision 20235) -+++ src/include/Makefile.in (working copy) -@@ -61,7 +61,9 @@ - -e "s+@SBINDIR+$(SBINDIR)+" \ - -e "s+@MODULEDIR+$(MODULE_DIR)+" \ - -e 's+@LOCALSTATEDIR+$(LOCALSTATEDIR)+' \ -- -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' -+ -e 's+@SYSCONFDIR+$(SYSCONFDIR)+' \ -+ -e 's+:/etc/krb5.conf:/etc/krb5.conf"+:/etc/krb5.conf"+' \ -+ -e 's+"/etc/krb5.conf:/etc/krb5.conf"+"/etc/krb5.conf"+' - - OSCONFSRC = $(srcdir)/stock/osconf.h - diff --git a/krb5-trunk-ksu-typo.patch b/krb5-trunk-ksu-typo.patch deleted file mode 100644 index 5920a1d..0000000 --- a/krb5-trunk-ksu-typo.patch +++ /dev/null @@ -1,12 +0,0 @@ -Marek Marut, RT #6472. ---- krb5/src/clients/ksu/krb_auth_su.c 2009-04-21 13:34:03.000000000 -0400 -+++ krb5/src/clients/ksu/krb_auth_su.c 2009-04-21 13:34:10.000000000 -0400 -@@ -185,7 +185,7 @@ krb5_boolean krb5_auth_check(context, cl - - if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, - &out_creds, &tgts))){ -- com_err(prog_name, retval, "while geting credentials from kdc"); -+ com_err(prog_name, retval, "while getting credentials from kdc"); - return (FALSE); - } - diff --git a/krb5-trunk-preauth-master.patch b/krb5-trunk-preauth-master.patch deleted file mode 100644 index 6f9cb8b..0000000 --- a/krb5-trunk-preauth-master.patch +++ /dev/null @@ -1,48 +0,0 @@ -Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the -master and replicas (this error is only returned when ENC_TIMESTAMP fails), -and if we get a key-expired error right after changing the password, try -again against the master KDC. RT#6108 - -Index: src/lib/krb5/krb/gic_pwd.c -=================================================================== ---- src/lib/krb5/krb/gic_pwd.c (revision 20704) -+++ src/lib/krb5/krb/gic_pwd.c (working copy) -@@ -147,10 +147,10 @@ - goto cleanup; - - /* If all the kdc's are unavailable, or if the error was due to a -- user interrupt, or preauth errored out, fail */ -+ user interrupt, or preauth errored out against the master, fail */ - - if ((ret == KRB5_KDC_UNREACH) || -- (ret == KRB5_PREAUTH_FAILED) || -+ ((ret == KRB5_PREAUTH_FAILED) && use_master) || - (ret == KRB5_LIBOS_PWDINTR) || - (ret == KRB5_REALM_CANT_RESOLVE)) - goto cleanup; -@@ -320,6 +320,25 @@ - krb5_get_as_key_password, (void *) &pw0, - &use_master, &as_reply); - -+ if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master) -+ goto cleanup; -+ else { -+ /* Okay, we *just* changed the password. Retry against a master KDC, -+ * because either the non-master's using outdated data or the admin -+ * has set an impossibly low maximum password lifetime. */ -+ use_master = 1; -+ ret2 = krb5_get_init_creds(context, creds, client, prompter, data, -+ start_time, in_tkt_service, opte, -+ krb5_get_as_key_password, (void *) &pw0, -+ &use_master, &as_reply); -+ if ((ret2 != KRB5_KDC_UNREACH) && -+ (ret2 != KRB5_REALM_CANT_RESOLVE) && -+ (ret2 != KRB5_REALM_UNKNOWN)) -+ ret = ret2; -+ else -+ use_master = 0; -+ } -+ - cleanup: - krb5int_set_prompt_types(context, 0); - /* if getting the password was successful, then check to see if the diff --git a/krb5-trunk-seqnum.patch b/krb5-trunk-seqnum.patch deleted file mode 100644 index 1feb866..0000000 --- a/krb5-trunk-seqnum.patch +++ /dev/null @@ -1,49 +0,0 @@ -Every KRB-PRIV message we generate to include as part of a password change -request we create (after the first one) will include sequence numbers which -look "wrong" to the recipient, because previously generating other KRB-PRIV -messages will mess with the counters in the auth_context. Because the -current code attempts to reuse auth_context structures (and changing that -would be more invasive), we'll just save the sequence number values as they -are after we build the AP-REQ, and restore them before generating requests. -RT#5867. - -Index: src/lib/krb5/os/changepw.c -=================================================================== ---- src/lib/krb5/os/changepw.c (revision 20195) -+++ src/lib/krb5/os/changepw.c (working copy) -@@ -34,6 +34,7 @@ - #include "k5-int.h" - #include "os-proto.h" - #include "cm.h" -+#include "../krb/auth_con.h" - - #include - #include -@@ -48,6 +49,7 @@ - krb5_principal set_password_for; - char *newpw; - krb5_data ap_req; -+ krb5_ui_4 remote_seq_num, local_seq_num; - }; - - -@@ -159,6 +161,9 @@ - &local_kaddr, NULL))) - goto cleanup; - -+ ctx->auth_context->remote_seq_number = ctx->remote_seq_num; -+ ctx->auth_context->local_seq_number = ctx->local_seq_num; -+ - if (ctx->set_password_for) - code = krb5int_mk_setpw_req(ctx->context, - ctx->auth_context, -@@ -225,6 +230,9 @@ - &callback_ctx.ap_req))) - goto cleanup; - -+ callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number; -+ callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number; -+ - do { - if ((code = krb5_locate_kpasswd(callback_ctx.context, - krb5_princ_realm(callback_ctx.context, diff --git a/krb5-trunk-spnego_delegation.patch b/krb5-trunk-spnego_delegation.patch deleted file mode 100644 index f7d8a66..0000000 --- a/krb5-trunk-spnego_delegation.patch +++ /dev/null @@ -1,44 +0,0 @@ -An spnego credential is itself a union credential, so search through it -when we're looking for credentials of a mechanism which may already have -been wrapped by spnego. RT #5807. - -Index: src/lib/gssapi/mechglue/g_glue.c -=================================================================== ---- src/lib/gssapi/mechglue/g_glue.c (revision 20093) -+++ src/lib/gssapi/mechglue/g_glue.c (working copy) -@@ -33,6 +33,8 @@ - #define MSO_BIT (8*(sizeof (int) - 1)) /* Most significant octet bit */ - - extern gss_mechanism *gssint_mechs_array; -+#define SPNEGO_OID_LENGTH 6 -+#define SPNEGO_OID "\053\006\001\005\005\002" - - /* - * This file contains the support routines for the glue layer. -@@ -548,6 +550,8 @@ - gss_OID mech_type; - { - int i; -+ gss_union_cred_t spnego_cred; -+ gss_cred_id_t mech_cred; - - if (union_cred == GSS_C_NO_CREDENTIAL) - return GSS_C_NO_CREDENTIAL; -@@ -555,6 +559,17 @@ - for (i=0; i < union_cred->count; i++) { - if (g_OID_equal(mech_type, &union_cred->mechs_array[i])) - return union_cred->cred_array[i]; -+ -+ /* if this is an spnego credential, search its contents */ -+ if ((union_cred->mechs_array[i].length == SPNEGO_OID_LENGTH) && -+ (memcmp(union_cred->mechs_array[i].elements, -+ SPNEGO_OID, -+ SPNEGO_OID_LENGTH) == 0)) { -+ spnego_cred = union_cred->cred_array[i]; -+ mech_cred = gssint_get_mechanism_cred(spnego_cred, mech_type); -+ if (mech_cred != GSS_C_NO_CREDENTIAL) -+ return mech_cred; -+ } - } - return GSS_C_NO_CREDENTIAL; - } diff --git a/krb5.spec b/krb5.spec index a9ec366..1b0644c 100644 --- a/krb5.spec +++ b/krb5.spec @@ -10,7 +10,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.7 -Release: 0%{?dist} +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar Source0: krb5-%{version}.tar.gz @@ -57,17 +57,11 @@ Patch26: krb5-1.3.2-efence.patch Patch27: krb5-1.7-rcp-sendlarge.patch Patch29: krb5-1.7-kprop-mktemp.patch Patch30: krb5-1.3.4-send-pr-tempfile.patch -Patch32: krb5-1.4-ncurses.patch Patch33: krb5-1.7-io.patch -Patch35: krb5-1.5-fclose.patch Patch36: krb5-1.7-rcp-markus.patch Patch39: krb5-1.7-api.patch Patch40: krb5-1.4.1-telnet-environ.patch Patch41: krb5-1.6.3-login-lpass.patch -Patch44: krb5-1.4.3-enospc.patch -Patch47: krb5-1.6-sort-of-static.patch -Patch51: krb5-1.6-ldap-init.patch -Patch52: krb5-1.6-ldap-man.patch Patch53: krb5-1.7-nodeplibs.patch Patch55: krb5-1.6.1-empty.patch Patch56: krb5-1.7-doublelog.patch @@ -77,24 +71,11 @@ Patch59: krb5-trunk-kpasswd_tcp.patch Patch60: krb5-1.7-pam.patch Patch61: krb5-trunk-manpaths.patch Patch63: krb5-1.7-selinux-label.patch -Patch64: krb5-ok-as-delegate.patch -Patch68: krb5-trunk-spnego_delegation.patch -Patch69: krb5-trunk-seqnum.patch Patch70: krb5-trunk-kpasswd_tcp2.patch Patch71: krb5-1.7-dirsrv-accountlock.patch Patch72: krb5-1.6.3-ftp_fdleak.patch Patch73: krb5-1.6.3-ftp_glob_runique.patch -Patch74: krb5-CVE-2008-0062,0063.patch -Patch75: krb5-CVE-2008-0947.patch -Patch76: krb5-CVE-2007-5901.patch -Patch77: krb5-CVE-2007-5971.patch -Patch78: krb5-1.6.3-lucid-acceptor.patch Patch79: krb5-trunk-ftp_mget_case.patch -Patch80: krb5-trunk-preauth-master.patch -Patch82: krb5-CVE-2009-0844-0845-2.patch -Patch83: krb5-CVE-2009-0846.patch -Patch84: krb5-CVE-2009-0847.patch -Patch85: krb5-trunk-ksu-typo.patch Patch86: krb5-1.7-time_t_size.patch License: MIT @@ -224,7 +205,7 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog -* Tue Jun 2 2009 Nalin Dahyabhai 1.7-1 +* Thu Jun 4 2009 Nalin Dahyabhai 1.7-1 - update to 1.7 - no need to work around build issues with ASN1BUF_OMIT_INLINE_FUNCS - configure recognizes --enable/--disable-pkinit now @@ -1416,58 +1397,22 @@ popd %patch27 -p1 -b .rcp-sendlarge %patch29 -p1 -b .kprop-mktemp %patch30 -p1 -b .send-pr-tempfile -# Unneeded -# %patch32 -p1 -b .ncurses %patch33 -p1 -b .io -# Upstream -# %patch35 -p1 -b .fclose %patch36 -p1 -b .rcp-markus %patch39 -p1 -b .api %patch40 -p1 -b .telnet-environ %patch41 -p1 -b .login-lpass -# No longer needed -- improved error-reporting should take care of this. -# %patch44 -p1 -b .enospc -# Upstream -# %patch51 -p0 -b .ldap_init -# Upstream -# %patch52 -p0 -b .ldap_man %patch53 -p1 -b .nodeplibs #%patch55 -p1 -b .empty %patch56 -p1 -b .doublelog #%patch57 -p1 -b .login_chdir %patch58 -p1 -b .key_exp %patch59 -p0 -b .kpasswd_tcp -# Upstream, more or less. -# %patch64 -p0 -b .ok-as-delegate -# Upstream, different patch. -# %patch68 -p0 -b .spnego_delegation -# Upstream -# %patch69 -p0 -b .seqnum #%patch70 -p0 -b .kpasswd_tcp2 %patch71 -p1 -b .dirsrv-accountlock %patch72 -p1 -b .ftp_fdleak %patch73 -p1 -b .ftp_glob_runique -# Upstream -# %patch74 -p0 -b .2008-0062,0063 -# Upstream -# %patch75 -p0 -b .2008-0947 -# Upstream -# %patch76 -p0 -b .2007-5901 -# Upstream -# %patch77 -p0 -b .2007-5971 -# Was a backport. -# %patch78 -p0 -b .lucid_acceptor %patch79 -p0 -b .ftp_mget_case -# Upstream -# %patch80 -p0 -b .preauth_master -# Upstream -# %patch82 -p1 -b .CVE-2009-0844-0845-2 -# Upstream -# %patch83 -p1 -b .CVE-2009-0846 -# Upstream -# %patch84 -p1 -b .CVE-2009-0847 -# Upstream -# %patch85 -p1 -b .ksu-typo %patch86 -p1 -b .time_t_size gzip doc/*.ps