diff options
| author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-06-27 18:29:01 +0000 |
|---|---|---|
| committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2007-06-27 18:29:01 +0000 |
| commit | b9bd2b7fb33d60ccad8f56beef9eebd852345cc5 (patch) | |
| tree | c87d119fdbf84b5e418e5395cf510a8e2ab63f4e | |
| parent | eead7e541d942a138a1a5b2ec9ddf543a90a78d1 (diff) | |
| download | krb5-b9bd2b7fb33d60ccad8f56beef9eebd852345cc5.tar.gz krb5-b9bd2b7fb33d60ccad8f56beef9eebd852345cc5.tar.xz krb5-b9bd2b7fb33d60ccad8f56beef9eebd852345cc5.zip | |
- preprocess kerberos.ldif into a format FDS will like better, and includekrb5-1_6_1-2_0_1
that as a doc file as well (from 1.6.1-4)
- drop old, incomplete SELinux patch (from 1.6.1-4)
- add patch from Greg Hudson to make srvtab routines report missing-file
errors at same point that "file" keytab routines do (from 1.6.1-4,
#241805)
| -rw-r--r-- | .cvsignore | 3 | ||||
| -rw-r--r-- | krb5-1.3-manpage-paths.patch | 125 | ||||
| -rw-r--r-- | krb5-1.6-CVE-2007-0956-prelim.patch | 88 | ||||
| -rw-r--r-- | krb5-1.6-CVE-2007-0957-prelim.patch | 1274 | ||||
| -rw-r--r-- | krb5-1.6-CVE-2007-1216-prelim.patch | 80 | ||||
| -rw-r--r-- | krb5-1.6-fix-sendto_kdc-memset.dif | 22 | ||||
| -rw-r--r-- | krb5-any-fixup-patch.txt | 22 | ||||
| -rw-r--r-- | krb5.spec | 29 | ||||
| -rw-r--r-- | sources | 9 |
9 files changed, 50 insertions, 1602 deletions
@@ -16,3 +16,6 @@ krb5-1.5.tar.gz.asc krb5-1.6.tar.gz krb5-1.6.tar.gz.asc krb5-1.6-pdf.tar.gz +krb5-1.6.1.tar.gz +krb5-1.6.1.tar.gz.asc +krb5-1.6.1-pdf.tar.gz diff --git a/krb5-1.3-manpage-paths.patch b/krb5-1.3-manpage-paths.patch deleted file mode 100644 index cef63a9..0000000 --- a/krb5-1.3-manpage-paths.patch +++ /dev/null @@ -1,125 +0,0 @@ ---- krb5-1.3/src/appl/bsd/klogind.M -+++ krb5-1.3/src/appl/bsd/klogind.M -@@ -27,7 +27,7 @@ - the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIklogind\fP might be: - --klogin stream tcp nowait root /usr/cygnus/sbin/klogind klogind -e5c -+klogin stream tcp nowait root /usr/kerberos/sbin/klogind klogind -e5c - - When a service request is received, the following protocol is initiated: - ---- krb5-1.3/src/appl/bsd/kshd.M -+++ krb5-1.3/src/appl/bsd/kshd.M -@@ -8,7 +8,7 @@ - .SH NAME - kshd \- kerberized remote shell server - .SH SYNOPSIS --.B /usr/local/sbin/kshd -+.B /usr/kerberos/sbin/kshd - [ - .B \-kr45ec - ] -@@ -30,7 +30,7 @@ - on the port indicated in /etc/inetd.conf. A typical /etc/inetd.conf - configuration line for \fIkrshd\fP might be: - --kshell stream tcp nowait root /usr/local/sbin/kshd kshd -5c -+kshell stream tcp nowait root /usr/kerberos/sbin/kshd kshd -5c - - When a service request is received, the following protocol is initiated: - ---- krb5-1.3/src/appl/sample/sserver/sserver.M -+++ krb5-1.3/src/appl/sample/sserver/sserver.M -@@ -59,7 +59,7 @@ - using a line in - /etc/inetd.conf that looks like this: - .PP --sample stream tcp nowait root /usr/local/sbin/sserver sserver -+sample stream tcp nowait root /usr/kerberos/sbin/sserver sserver - .PP - Since \fBsample\fP is normally not a port defined in /etc/services, you will - usually have to add a line to /etc/services which looks like this: ---- krb5-1.3/src/appl/telnet/telnetd/telnetd.8 -+++ krb5-1.3/src/appl/telnet/telnetd/telnetd.8 -@@ -37,7 +37,7 @@ - .SM DARPA TELNET - protocol server - .SH SYNOPSIS --.B /usr/libexec/telnetd -+.B /usr/kerberos/sbin/telnetd - [\fB\-a\fP \fIauthmode\fP] [\fB\-B\fP] [\fB\-D\fP] [\fIdebugmode\fP] - [\fB\-edebug\fP] [\fB\-h\fP] [\fB\-I\fP\fIinitid\fP] [\fB\-l\fP] - [\fB\-k\fP] [\fB\-n\fP] [\fB\-r\fP\fIlowpty-highpty\fP] [\fB\-s\fP] ---- krb5-1.3/src/config-files/kdc.conf.M -+++ krb5-1.3/src/config-files/kdc.conf.M -@@ -235,7 +235,7 @@ - realm names and the [capaths] section of its krb5.conf file - - .SH FILES --/usr/local/var/krb5kdc/kdc.conf -+/var/kerberos/krb5kdc/kdc.conf - - .SH SEE ALSO - krb5.conf(5), krb5kdc(8) ---- krb5-1.3/src/kadmin/cli/kadmin.M -+++ krb5-1.3/src/kadmin/cli/kadmin.M -@@ -733,9 +733,9 @@ - .RS - .TP - EXAMPLE: --kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin -+kadmin: ktremove -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin - Entry for principal kadmin/admin with kvno 3 removed -- from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -+ from keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. - kadmin: - .RE - .fi ---- krb5-1.3/src/slave/kprop.M -+++ krb5-1.3/src/slave/kprop.M -@@ -39,7 +39,7 @@ - This is done by transmitting the dumped database file to the slave - server over an encrypted, secure channel. The dump file must be created - by kdb5_util, and is normally KPROP_DEFAULT_FILE --(/usr/local/var/krb5kdc/slave_datatrans). -+(/var/kerberos/krb5kdc/slave_datatrans). - .SH OPTIONS - .TP - \fB\-r\fP \fIrealm\fP -@@ -51,7 +51,7 @@ - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - found; by default the dumped database file is KPROP_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/slave_datatrans). -+(normally /var/kerberos/krb5kdc/slave_datatrans). - .TP - \fB\-P\fP \fIport\fP - specifies the port to use to contact the ---- krb5-1.3/src/slave/kpropd.M -+++ krb5-1.3/src/slave/kpropd.M -@@ -69,7 +69,7 @@ - This is done by adding a line to the inetd.conf file which looks like - this: - --kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -+kprop stream tcp nowait root /usr/kerberos/sbin/kpropd kpropd - - However, kpropd can also run as a standalone deamon, if the - .B \-S -@@ -87,13 +87,13 @@ - \fB\-f\fP \fIfile\fP - specifies the filename where the dumped principal database file is to be - stored; by default the dumped database file is KPROPD_DEFAULT_FILE --(normally /usr/local/var/krb5kdc/from_master). -+(normally /var/kerberos/krb5kdc/from_master). - .TP - .B \-p - allows the user to specify the pathname to the - .IR kdb5_util (8) - program; by default the pathname used is KPROPD_DEFAULT_KDB5_UTIL --(normally /usr/local/sbin/kdb5_util). -+(normally /usr/kerberos/sbin/kdb5_util). - .TP - .B \-S - turn on standalone mode. Normally, kpropd is invoked out of diff --git a/krb5-1.6-CVE-2007-0956-prelim.patch b/krb5-1.6-CVE-2007-0956-prelim.patch deleted file mode 100644 index 7fd5d62..0000000 --- a/krb5-1.6-CVE-2007-0956-prelim.patch +++ /dev/null @@ -1,88 +0,0 @@ -FIXES -===== - -* a future release of MIT krb5 will contain a fix for this - vulnerability - -prior to that release you may: - -* disable telnetd - -or - -* apply the following (preliminary) patch: - -*** src/appl/telnet/telnetd/state.c (revision 19480) ---- src/appl/telnet/telnetd/state.c (local) -*************** -*** 1665,1671 **** - strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ - strcmp(varp, "NLSPATH") && /* locale stuff */ - strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ -! strcmp(varp, "IFS")) { - return 1; - } else { - syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); ---- 1665,1672 ---- - strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ - strcmp(varp, "NLSPATH") && /* locale stuff */ - strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ -! strcmp(varp, "IFS") && -! !strchr(varp, '-')) { - return 1; - } else { - syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); -*** src/appl/telnet/telnetd/sys_term.c (revision 19480) ---- src/appl/telnet/telnetd/sys_term.c (local) -*************** -*** 1287,1292 **** ---- 1287,1302 ---- - #endif - #if defined (AUTHENTICATION) - if (auth_level >= 0 && autologin == AUTH_VALID) { -+ if (name[0] == '-') { -+ /* Authenticated and authorized to log in to an -+ account starting with '-'? Even if that -+ unlikely case comes to pass, the current login -+ program will not parse the resulting command -+ line properly. */ -+ syslog(LOG_ERR, "user name cannot start with '-'"); -+ fatal(net, "user name cannot start with '-'"); -+ exit(1); -+ } - # if !defined(NO_LOGIN_F) - #if defined(LOGIN_CAP_F) - argv = addarg(argv, "-F"); -*************** -*** 1377,1387 **** - } else - #endif - if (getenv("USER")) { -! argv = addarg(argv, getenv("USER")); - #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) - { - register char **cpp; - for (cpp = environ; *cpp; cpp++) - argv = addarg(argv, *cpp); - } - #endif ---- 1387,1405 ---- - } else - #endif - if (getenv("USER")) { -! char *user = getenv("USER"); -! if (user[0] == '-') { -! /* "telnet -l-x ..." */ -! syslog(LOG_ERR, "user name cannot start with '-'"); -! fatal(net, "user name cannot start with '-'"); -! exit(1); -! } -! argv = addarg(argv, user); - #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) - { - register char **cpp; - for (cpp = environ; *cpp; cpp++) -+ if ((*cpp)[0] != '-') - argv = addarg(argv, *cpp); - } - #endif diff --git a/krb5-1.6-CVE-2007-0957-prelim.patch b/krb5-1.6-CVE-2007-0957-prelim.patch deleted file mode 100644 index a87f91c..0000000 --- a/krb5-1.6-CVE-2007-0957-prelim.patch +++ /dev/null @@ -1,1274 +0,0 @@ -*** src/kadmin/server/kadm_rpc_svc.c (revision 19480) ---- src/kadmin/server/kadm_rpc_svc.c (local) -*************** -*** 250,255 **** ---- 250,257 ---- - krb5_data *c1, *c2, *realm; - gss_buffer_desc gss_str; - kadm5_server_handle_t handle; -+ size_t slen; -+ char *sdots; - - success = 0; - handle = (kadm5_server_handle_t)global_server_handle; -*************** -*** 274,279 **** ---- 276,283 ---- - if (ret == 0) - goto fail_name; - -+ slen = gss_str.length; -+ trunc_name(&slen, &sdots); - /* - * Since we accept with GSS_C_NO_NAME, the client can authenticate - * against the entire kdb. Therefore, ensure that the service -*************** -*** 296,303 **** - - fail_princ: - if (!success) { -! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", -! gss_str.length, gss_str.value); - } - gss_release_buffer(&min_stat, &gss_str); - krb5_free_principal(kctx, princ); ---- 300,307 ---- - - fail_princ: - if (!success) { -! krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", -! slen, gss_str.value, sdots); - } - gss_release_buffer(&min_stat, &gss_str); - krb5_free_principal(kctx, princ); -*** src/kadmin/server/misc.c (revision 19480) ---- src/kadmin/server/misc.c (local) -*************** -*** 171,173 **** ---- 171,182 ---- - - return kadm5_free_principal_ent(handle->lhandle, &princ); - } -+ -+ #define MAXPRINCLEN 125 -+ -+ void -+ trunc_name(size_t *len, char **dots) -+ { -+ *dots = *len > MAXPRINCLEN ? "..." : ""; -+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; -+ } -*** src/kadmin/server/misc.h (revision 19480) ---- src/kadmin/server/misc.h (local) -*************** -*** 45,47 **** ---- 45,49 ---- - #ifdef SVC_GETARGS - void kadm_1(struct svc_req *, SVCXPRT *); - #endif -+ -+ void trunc_name(size_t *len, char **dots); -*** src/kadmin/server/ovsec_kadmd.c (revision 19480) ---- src/kadmin/server/ovsec_kadmd.c (local) -*************** -*** 992,997 **** ---- 992,999 ---- - rpcproc_t proc; - int i; - const char *procname; -+ size_t clen, slen; -+ char *cdots, *sdots; - - client.length = 0; - client.value = NULL; -*************** -*** 1000,1009 **** - - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); -! if (client.value == NULL) - client.value = "(null)"; -! if (server.value == NULL) - server.value = "(null)"; - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - - proc = msg->rm_call.cb_proc; ---- 1002,1021 ---- - - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); -! if (client.value == NULL) { - client.value = "(null)"; -! clen = sizeof("(null)") -1; -! } else { -! clen = client.length; -! } -! trunc_name(&clen, &cdots); -! if (server.value == NULL) { - server.value = "(null)"; -+ slen = sizeof("(null)") - 1; -+ } else { -+ slen = server.length; -+ } -+ trunc_name(&slen, &sdots); - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - - proc = msg->rm_call.cb_proc; -*************** -*** 1016,1029 **** - } - if (procname != NULL) - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " -! "claimed client = %s, server = %s, addr = %s", -! procname, client.value, -! server.value, a); - else - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " -! "claimed client = %s, server = %s, addr = %s", -! proc, client.value, -! server.value, a); - - (void) gss_release_buffer(&minor, &client); - (void) gss_release_buffer(&minor, &server); ---- 1028,1041 ---- - } - if (procname != NULL) - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " -! "claimed client = %.*s%s, server = %.*s%s, addr = %s", -! procname, clen, client.value, cdots, -! slen, server.value, sdots, a); - else - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " -! "claimed client = %.*s%s, server = %.*s%s, addr = %s", -! proc, clen, client.value, cdots, -! slen, server.value, sdots, a); - - (void) gss_release_buffer(&minor, &client); - (void) gss_release_buffer(&minor, &server); -*** src/kadmin/server/schpw.c (revision 19480) ---- src/kadmin/server/schpw.c (local) -*************** -*** 40,45 **** ---- 40,47 ---- - int numresult; - char strresult[1024]; - char *clientstr; -+ size_t clen; -+ char *cdots; - - ret = 0; - rep->length = 0; -*************** -*** 258,266 **** - free(ptr); - clear.length = 0; - -! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", - inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), -! clientstr, ret ? krb5_get_error_message (context, ret) : "success"); - krb5_free_unparsed_name(context, clientstr); - - if (ret) { ---- 260,271 ---- - free(ptr); - clear.length = 0; - -! clen = strlen(clientstr); -! trunc_name(&clen, &cdots); -! krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", - inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), -! clen, clientstr, cdots, -! ret ? krb5_get_error_message (context, ret) : "success"); - krb5_free_unparsed_name(context, clientstr); - - if (ret) { -*** src/kadmin/server/server_stubs.c (revision 19480) ---- src/kadmin/server/server_stubs.c (local) -*************** -*** 14,19 **** ---- 14,20 ---- - #include <arpa/inet.h> /* inet_ntoa */ - #include <adm_proto.h> /* krb5_klog_syslog */ - #include "misc.h" -+ #include <string.h> - - #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" - #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" -*************** -*** 237,242 **** ---- 238,298 ---- - return 0; - } - -+ static int -+ log_unauth( -+ char *op, -+ char *target, -+ gss_buffer_t client, -+ gss_buffer_t server, -+ struct svc_req *rqstp) -+ { -+ size_t tlen, clen, slen; -+ char *tdots, *cdots, *sdots; -+ -+ tlen = strlen(target); -+ trunc_name(&tlen, &tdots); -+ clen = client->length; -+ trunc_name(&clen, &cdots); -+ slen = server->length; -+ trunc_name(&slen, &sdots); -+ -+ return krb5_klog_syslog(LOG_NOTICE, -+ "Unauthorized request: %s, %.*s%s, " -+ "client=%.*s%s, service=%.*s%s, addr=%s", -+ op, tlen, target, tdots, -+ clen, client->value, cdots, -+ slen, server->value, sdots, -+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ } -+ -+ static int -+ log_done( -+ char *op, -+ char *target, -+ char *errmsg, -+ gss_buffer_t client, -+ gss_buffer_t server, -+ struct svc_req *rqstp) -+ { -+ size_t tlen, clen, slen; -+ char *tdots, *cdots, *sdots; -+ -+ tlen = strlen(target); -+ trunc_name(&tlen, &tdots); -+ clen = client->length; -+ trunc_name(&clen, &cdots); -+ slen = server->length; -+ trunc_name(&slen, &sdots); -+ -+ return krb5_klog_syslog(LOG_NOTICE, -+ "Request: %s, %.*s%s, %s, " -+ "client=%.*s%s, service=%.*s%s, addr=%s", -+ op, tlen, target, tdots, errmsg, -+ clen, client->value, cdots, -+ slen, server->value, sdots, -+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ } -+ - generic_ret * - create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - { -*************** -*** 275,283 **** - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_create_principal((void *)handle, - &arg->rec, arg->mask, ---- 331,338 ---- - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -! log_unauth("kadm5_create_principal", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_create_principal((void *)handle, - &arg->rec, arg->mask, -*************** -*** 287,296 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } ---- 342,349 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_create_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -*************** -*** 341,349 **** - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_create_principal_3((void *)handle, - &arg->rec, arg->mask, ---- 394,401 ---- - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -! log_unauth("kadm5_create_principal", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_create_principal_3((void *)handle, - &arg->rec, arg->mask, -*************** -*** 355,364 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } ---- 407,414 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_create_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -*************** -*** 406,414 **** - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_delete_principal((void *)handle, arg->princ); - if( ret.code == 0 ) ---- 456,463 ---- - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; -! log_unauth("kadm5_delete_principal", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_delete_principal((void *)handle, arg->princ); - if( ret.code == 0 ) -*************** -*** 416,425 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } ---- 465,472 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_delete_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -*************** -*** 469,477 **** - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_modify_principal((void *)handle, &arg->rec, - arg->mask); ---- 516,523 ---- - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; -! log_unauth("kadm5_modify_principal", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_modify_principal((void *)handle, &arg->rec, - arg->mask); -*************** -*** 480,489 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } ---- 526,533 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_modify_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -*************** -*** 546,554 **** - } else - ret.code = KADM5_AUTH_INSUFFICIENT; - if (ret.code != KADM5_OK) { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_rename_principal((void *)handle, arg->src, - arg->dest); ---- 590,597 ---- - } else - ret.code = KADM5_AUTH_INSUFFICIENT; - if (ret.code != KADM5_OK) { -! log_unauth("kadm5_rename_principal", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_rename_principal((void *)handle, arg->src, - arg->dest); -*************** -*** 557,566 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - free(prime_arg1); ---- 600,607 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_rename_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg1); -*************** -*** 614,622 **** - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_principal_v1((void *)handle, ---- 655,662 ---- - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; -! log_unauth(funcname, prime_arg, -! &client_name, &service_name, rqstp); - } else { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_principal_v1((void *)handle, -*************** -*** 636,646 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -! prime_arg, -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - } - free_server_handle(handle); ---- 676,683 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done(funcname, prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - } - free_server_handle(handle); -*************** -*** 688,696 **** - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_get_principals((void *)handle, - arg->exp, &ret.princs, ---- 725,732 ---- - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; -! log_unauth("kadm5_get_principals", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_get_principals((void *)handle, - arg->exp, &ret.princs, -*************** -*** 700,710 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", -! prime_arg, -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - } - free_server_handle(handle); ---- 736,743 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_get_principals", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - - } - free_server_handle(handle); -*************** -*** 755,763 **** - ret.code = kadm5_chpass_principal((void *)handle, arg->princ, - arg->pass); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_CHANGEPW; - } - ---- 788,795 ---- - ret.code = kadm5_chpass_principal((void *)handle, arg->princ, - arg->pass); - } else { -! log_unauth("kadm5_chpass_principal", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -*************** -*** 767,776 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - - free_server_handle(handle); ---- 799,806 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_chpass_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -*************** -*** 828,836 **** - arg->ks_tuple, - arg->pass); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_CHANGEPW; - } - ---- 858,865 ---- - arg->ks_tuple, - arg->pass); - } else { -! log_unauth("kadm5_chpass_principal", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -*************** -*** 840,849 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - - free_server_handle(handle); ---- 869,876 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_chpass_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -*************** -*** 892,900 **** - ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, - arg->keyblock); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_SETKEY; - } - ---- 919,926 ---- - ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, - arg->keyblock); - } else { -! log_unauth("kadm5_setv4key_principal", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -*************** -*** 904,913 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - - free_server_handle(handle); ---- 930,937 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_setv4key_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -*************** -*** 956,964 **** - ret.code = kadm5_setkey_principal((void *)handle, arg->princ, - arg->keyblocks, arg->n_keys); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_SETKEY; - } - ---- 980,987 ---- - ret.code = kadm5_setkey_principal((void *)handle, arg->princ, - arg->keyblocks, arg->n_keys); - } else { -! log_unauth("kadm5_setkey_principal", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -*************** -*** 968,977 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - - free_server_handle(handle); ---- 991,998 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_setkey_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -*************** -*** 1023,1031 **** - arg->ks_tuple, - arg->keyblocks, arg->n_keys); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_SETKEY; - } - ---- 1044,1051 ---- - arg->ks_tuple, - arg->keyblocks, arg->n_keys); - } else { -! log_unauth("kadm5_setkey_principal", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -*************** -*** 1035,1044 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - - free_server_handle(handle); ---- 1055,1062 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_setkey_principal", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -*************** -*** 1097,1105 **** - ret.code = kadm5_randkey_principal((void *)handle, arg->princ, - &k, &nkeys); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_CHANGEPW; - } - ---- 1115,1122 ---- - ret.code = kadm5_randkey_principal((void *)handle, arg->princ, - &k, &nkeys); - } else { -! log_unauth(funcname, prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -*************** -*** 1119,1128 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - free(prime_arg); ---- 1136,1143 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done(funcname, prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg); -*************** -*** 1185,1193 **** - arg->ks_tuple, - &k, &nkeys); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_CHANGEPW; - } - ---- 1200,1207 ---- - arg->ks_tuple, - &k, &nkeys); - } else { -! log_unauth(funcname, prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -*************** -*** 1207,1216 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -! prime_arg, errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - free(prime_arg); ---- 1221,1228 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done(funcname, prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg); -*************** -*** 1253,1262 **** - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -! - } else { - ret.code = kadm5_create_policy((void *)handle, &arg->rec, - arg->mask); ---- 1265,1273 ---- - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; -! log_unauth("kadm5_create_policy", prime_arg, -! &client_name, &service_name, rqstp); -! - } else { - ret.code = kadm5_create_policy((void *)handle, &arg->rec, - arg->mask); -*************** -*** 1265,1275 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1276,1284 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_create_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1310,1318 **** - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_DELETE; - } else { - ret.code = kadm5_delete_policy((void *)handle, arg->name); ---- 1319,1326 ---- - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { -! log_unauth("kadm5_delete_policy", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_DELETE; - } else { - ret.code = kadm5_delete_policy((void *)handle, arg->name); -*************** -*** 1321,1331 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1329,1337 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_delete_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1366,1374 **** - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - ret.code = KADM5_AUTH_MODIFY; - } else { - ret.code = kadm5_modify_policy((void *)handle, &arg->rec, ---- 1372,1379 ---- - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { -! log_unauth("kadm5_modify_policy", prime_arg, -! &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_MODIFY; - } else { - ret.code = kadm5_modify_policy((void *)handle, &arg->rec, -*************** -*** 1378,1388 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1383,1391 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_modify_policy", -! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1464,1478 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -! ((prime_arg == NULL) ? "(null)" : prime_arg), -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1467,1478 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done(funcname, -! ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -! &client_name, &service_name, rqstp); - } else { -! log_unauth(funcname, prime_arg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1517,1525 **** - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; -! krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", -! prime_arg, client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } else { - ret.code = kadm5_get_policies((void *)handle, - arg->exp, &ret.pols, ---- 1517,1524 ---- - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; -! log_unauth("kadm5_get_policies", prime_arg, -! &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_get_policies((void *)handle, - arg->exp, &ret.pols, -*************** -*** 1529,1539 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", -! prime_arg, -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1528,1535 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_get_policies", prime_arg, errmsg, -! &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1573,1583 **** - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", -! client_name.value, -! errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); - - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); ---- 1569,1576 ---- - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -! log_done("kadm5_get_privs", client_name.value, errmsg, -! &client_name, &service_name, rqstp); - - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -*************** -*** 1594,1599 **** ---- 1587,1594 ---- - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - char *errmsg = 0; -+ size_t clen, slen; -+ char *cdots, *sdots; - - xdr_free(xdr_generic_ret, &ret); - -*************** -*** 1612,1625 **** - - if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); -! krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", -! (ret.api_version == KADM5_API_VERSION_1 ? -! "kadm5_init (V1)" : "kadm5_init"), -! client_name.value, -! (ret.code == 0) ? "success" : errmsg, -! client_name.value, service_name.value, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), -! rqstp->rq_cred.oa_flavor); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); - ---- 1607,1628 ---- - - if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); -! else -! errmsg = "success"; -! -! clen = client_name.length; -! trunc_name(&clen, &cdots); -! slen = service_name.length; -! trunc_name(&slen, &sdots); -! krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " -! "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", -! (ret.api_version == KADM5_API_VERSION_1 ? -! "kadm5_init (V1)" : "kadm5_init"), -! clen, client_name.value, cdots, errmsg, -! clen, client_name.value, cdots, -! slen, service_name.value, sdots, -! inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), -! rqstp->rq_cred.oa_flavor); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); - -*** src/kdc/do_tgs_req.c (revision 19480) ---- src/kdc/do_tgs_req.c (local) -*************** -*** 489,516 **** - newtransited = 1; - } - if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { - errcode = krb5_check_transited_list (kdc_context, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), - krb5_princ_realm (kdc_context, request->server)); - if (errcode == 0) { - setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); - } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) - krb5_klog_syslog (LOG_INFO, -! "bad realm transit path from '%s' to '%s' via '%.*s'", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -! enc_tkt_reply.transited.tr_contents.length, -! enc_tkt_reply.transited.tr_contents.data); - else { - const char *emsg = krb5_get_error_message(kdc_context, errcode); - krb5_klog_syslog (LOG_ERR, -! "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -! enc_tkt_reply.transited.tr_contents.length, - enc_tkt_reply.transited.tr_contents.data, -! emsg); - krb5_free_error_message(kdc_context, emsg); - } - } else ---- 489,526 ---- - newtransited = 1; - } - if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { -+ unsigned int tlen; -+ char *tdots; -+ - errcode = krb5_check_transited_list (kdc_context, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), - krb5_princ_realm (kdc_context, request->server)); -+ tlen = enc_tkt_reply.transited.tr_contents.length; -+ tdots = tlen > 125 ? "..." : ""; -+ tlen = tlen > 125 ? 125 : tlen; -+ - if (errcode == 0) { - setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); - } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) - krb5_klog_syslog (LOG_INFO, -! "bad realm transit path from '%s' to '%s' " -! "via '%.*s%s'", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -! tlen, -! enc_tkt_reply.transited.tr_contents.data, -! tdots); - else { - const char *emsg = krb5_get_error_message(kdc_context, errcode); - krb5_klog_syslog (LOG_ERR, -! "unexpected error checking transit from " -! "'%s' to '%s' via '%.*s%s': %s", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -! tlen, - enc_tkt_reply.transited.tr_contents.data, -! tdots, emsg); - krb5_free_error_message(kdc_context, emsg); - } - } else -*************** -*** 542,547 **** ---- 552,560 ---- - if (!krb5_principal_compare(kdc_context, request->server, client2)) { - if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) - tmp = 0; -+ if (tmp != NULL) -+ limit_string(tmp); -+ - krb5_klog_syslog(LOG_INFO, - "TGS_REQ %s: 2ND_TKT_MISMATCH: " - "authtime %d, %s for %s, 2nd tkt client %s", -*************** -*** 816,821 **** ---- 829,835 ---- - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing alternate <un-unparseable> TGT"); - } else { -+ limit_string(sname); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing TGT %s", sname); - free(sname); -*** src/kdc/kdc_util.c (revision 19480) ---- src/kdc/kdc_util.c (local) -*************** -*** 404,409 **** ---- 404,410 ---- - - krb5_db_free_principal(kdc_context, &server, nprincs); - if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { -+ limit_string(sname); - krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", - sname); - free(sname); -*** src/lib/kadm5/logger.c (revision 19480) ---- src/lib/kadm5/logger.c (local) -*************** -*** 45,51 **** - #include <varargs.h> - #endif /* HAVE_STDARG_H */ - -! #define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 - #ifndef MAXHOSTNAMELEN - #define MAXHOSTNAMELEN 256 - #endif /* MAXHOSTNAMELEN */ ---- 45,51 ---- - #include <varargs.h> - #endif /* HAVE_STDARG_H */ - -! #define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 - #ifndef MAXHOSTNAMELEN - #define MAXHOSTNAMELEN 256 - #endif /* MAXHOSTNAMELEN */ -*************** -*** 261,267 **** - #endif /* HAVE_SYSLOG */ - - /* Now format the actual message */ -! #if HAVE_VSPRINTF - vsprintf(cp, actual_format, ap); - #else /* HAVE_VSPRINTF */ - sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], ---- 261,269 ---- - #endif /* HAVE_SYSLOG */ - - /* Now format the actual message */ -! #if HAVE_VSNPRINTF -! vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); -! #elif HAVE_VSPRINTF - vsprintf(cp, actual_format, ap); - #else /* HAVE_VSPRINTF */ - sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], -*************** -*** 850,856 **** - syslogp = &outbuf[strlen(outbuf)]; - - /* Now format the actual message */ -! #ifdef HAVE_VSPRINTF - vsprintf(syslogp, format, arglist); - #else /* HAVE_VSPRINTF */ - sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], ---- 852,860 ---- - syslogp = &outbuf[strlen(outbuf)]; - - /* Now format the actual message */ -! #ifdef HAVE_VSNPRINTF -! vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); -! #elif HAVE_VSPRINTF - vsprintf(syslogp, format, arglist); - #else /* HAVE_VSPRINTF */ - sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], - diff --git a/krb5-1.6-CVE-2007-1216-prelim.patch b/krb5-1.6-CVE-2007-1216-prelim.patch deleted file mode 100644 index 855faf9..0000000 --- a/krb5-1.6-CVE-2007-1216-prelim.patch +++ /dev/null @@ -1,80 +0,0 @@ -*** src/lib/gssapi/krb5/k5unseal.c (revision 19510) ---- src/lib/gssapi/krb5/k5unseal.c (revision 19511) -*************** -*** 457,464 **** - - if ((ctx->initiate && direction != 0xff) || - (!ctx->initiate && direction != 0)) { -! if (toktype == KG_TOK_SEAL_MSG) - xfree(token.value); - *minor_status = G_BAD_DIRECTION; - return(GSS_S_BAD_SIG); - } ---- 457,467 ---- - - if ((ctx->initiate && direction != 0xff) || - (!ctx->initiate && direction != 0)) { -! if (toktype == KG_TOK_SEAL_MSG) { - xfree(token.value); -+ message_buffer->value = NULL; -+ message_buffer->length = 0; -+ } - *minor_status = G_BAD_DIRECTION; - return(GSS_S_BAD_SIG); - } - -REFERENCES -========== - -This announcement is posted at: - - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-003.txt - -This announcement and related security advisories may be found on the -MIT Kerberos security advisory page at: - - http://web.mit.edu/kerberos/advisories/index.html - -The main MIT Kerberos web page is at: - - http://web.mit.edu/kerberos/index.html - -CVE: CVE-2007-1216 -http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1216 - -ACKNOWLEDGMENTS -=============== - -This bug was found while exercising the GSS-API library using the -GSSTEST test program provided by SAP AG. - -DETAILS -======= - -The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees -memory allocated for the "message_buffer" gss_buffer_t when it detects -an invalid direction encoding on the message. It does not set the -pointer to NULL, nor does it set the length to zero. An application -subsequently calling gss_release_buffer() on this gss_buffer_t will -cause memory to be freed twice. - -Much code provided with MIT krb5 does not attempt to call -gss_release_buffer() when gss_unseal() or gss_unwrap() fails, even -though the GSS-API C-bindings specification permits it to do so. The -RPCSEC_GSS authentication flavor for the RPC library, introduced in -krb5-1.4, does call gss_release_buffer() when gss_unwrap() fails. -This allows an authenticated attacker to trigger a double-free -situation. - -Third-party applications calling the RPC library provided with MIT -krb5 and using the RPCSEC_GSS authentication flavor are vulnerable. -Third-party applications calling the MIT GSS-API library are -vulnerable if they call gss_release_buffer() when they experience -errors from gss_unseal() or gss_unwrap(). - -REVISION HISTORY -================ - -2007-mm-dd original release - -Copyright (C) 2007 Massachusetts Institute of Technology diff --git a/krb5-1.6-fix-sendto_kdc-memset.dif b/krb5-1.6-fix-sendto_kdc-memset.dif deleted file mode 100644 index 0a60017..0000000 --- a/krb5-1.6-fix-sendto_kdc-memset.dif +++ /dev/null @@ -1,22 +0,0 @@ -Michael Calmer's fix for a crash bug, RT #5394. - ---- src/lib/krb5/os/sendto_kdc.c -+++ src/lib/krb5/os/sendto_kdc.c 2007/01/17 14:17:10 -@@ -1100,7 +1100,7 @@ - struct sockaddr *remoteaddr, socklen_t *remoteaddrlen, - int *addr_used) - { -- int i, pass; -+ int i = 0, pass; - int delay_this_pass = 2; - krb5_error_code retval; - struct conn_state *conns; -@@ -1135,7 +1135,7 @@ - return ENOMEM; - } - -- memset(conns, 0, n_conns * sizeof(callback_data[i])); -+ memset(callback_data, 0, n_conns * sizeof(callback_data[i])); - } - - for (i = 0; i < n_conns; i++) { diff --git a/krb5-any-fixup-patch.txt b/krb5-any-fixup-patch.txt new file mode 100644 index 0000000..fe16dc2 --- /dev/null +++ b/krb5-any-fixup-patch.txt @@ -0,0 +1,22 @@ +Index: kt_srvtab.c +=================================================================== +RCS file: /afs/dev.mit.edu/source/repository/third/krb5/src/lib/krb5/keytab/kt_srvtab.c,v +retrieving revision 1.1.1.1 +retrieving revision 1.2 +diff -u -r1.1.1.1 -r1.2 +--- kt_srvtab.c 27 Feb 2004 04:00:00 -0000 1.1.1.1 ++++ kt_srvtab.c 27 Feb 2004 09:56:29 -0000 1.2 +@@ -117,13 +117,6 @@ + krb5_ktsrvtab_resolve(krb5_context context, const char *name, krb5_keytab *id) + { + krb5_ktsrvtab_data *data; +- FILE *fp; +- +- /* Make sure we can open the srvtab file for reading. */ +- fp = fopen(name, "r"); +- if (!fp) +- return(errno); +- fclose(fp); + + if ((*id = (krb5_keytab) malloc(sizeof(**id))) == NULL) + return(ENOMEM); @@ -1,7 +1,3 @@ -%if %{?WITH_SELINUX:0}%{!?WITH_SELINUX:1} -%define WITH_SELINUX 0 -%endif - %define WITH_LDAP 1 %define krb5prefix %{_prefix}/kerberos @@ -82,6 +78,8 @@ Patch55: krb5-1.6.1-empty.patch Patch56: krb5-1.6.1-get_opt_fixup.patch Patch57: krb5-1.6.1-ftp-nospew.patch +Patch62: krb5-any-fixup-patch.txt + License: MIT, freely distributable. URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -195,6 +193,13 @@ installed on systems which are meant provide these services. %endif %changelog +* Wed Jun 27 2007 Nalin Dahyabhai <nalin@redhat.com> +- preprocess kerberos.ldif into a format FDS will like better, and include + that as a doc file as well (from 1.6.1-4) +- drop old, incomplete SELinux patch (from 1.6.1-4) +- add patch from Greg Hudson to make srvtab routines report missing-file errors + at same point that "file" keytab routines do (from 1.6.1-4, #241805) + * Wed Jun 27 2007 Nalin Dahyabhai <nalin@redhat.com> 1.6.1-2.0 - pull up from devel HEAD's 1.6.1-2 @@ -1091,6 +1096,9 @@ installed on systems which are meant provide these services. %prep %setup -q -a 23 %patch2 -p1 -b .manpage-paths +pushd src/lib/krb5/keytab +%patch62 -p0 -b .any-fixup +popd %patch3 -p1 -b .netkit-rsh %patch4 -p1 -b .rlogind-environ %patch5 -p1 -b .ksu-access @@ -1102,9 +1110,6 @@ installed on systems which are meant provide these services. %patch14 -p1 -b .ftp-glob %patch16 -p1 -b .buildconf %patch18 -p1 -b .reject-bad-transited -%if %{WITH_SELINUX} -%patch21 -p1 -b .selinux -%endif %patch23 -p1 -b .dns %patch25 -p1 -b .null # Removes a malloc(0) case, nothing more. @@ -1152,6 +1157,15 @@ doc/kadm5 api-funcspec doc/kadm5 api-server-design EOF +# Generate an FDS-compatible LDIF file. +inldif=src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif +cat > 60kerberos.ldif << EOF +# This is a variation on kerberos.ldif which Fedora Directory Server will like. +dn: cn=schema +EOF +egrep -iv '(^$|^dn:|^changetype:|^add:)' $inldif >> 60kerberos.ldif +touch -r $inldif 60kerberos.ldif + # Rebuild the configure scripts. cd src top=`pwd` @@ -1555,6 +1569,7 @@ exit 0 %docdir %{krb5prefix}/man %doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif %doc src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema +%doc 60kerberos.ldif %dir %{_libdir}/krb5 %dir %{_libdir}/krb5/plugins %dir %{_libdir}/krb5/plugins/kdb @@ -1,6 +1,3 @@ -fe62bcd315fe4139e4fa05732ce8abde krb5-1.5.tar.gz -86a3c9ef729920279a45d0573055bf99 krb5-1.5.tar.gz.asc -18da410f1e0a4500b0f3d4020567ce99 krb5-1.5-pdf.tar.gz -b84d437c4a67240c70e370f557f561de krb5-1.6.tar.gz -4b79615e695c55216f25058a03f6dfde krb5-1.6.tar.gz.asc -64195de6ac63f8fe8ecfc6a410219c9d krb5-1.6-pdf.tar.gz +165bfd13e77d63e623810a3abe43ad61 krb5-1.6.1.tar.gz +8249f522570f8b17f056bc8a5408678d krb5-1.6.1.tar.gz.asc +06835fe8a0ac3455dfaf9c6073f1f54c krb5-1.6.1-pdf.tar.gz |