From 680c6b04e0dacb7799ba722749ea157ce76fcc91 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Wed, 3 Feb 2010 17:21:28 +0000 Subject: - sync with devel branch to pick up 1.7.1 - update to 1.7.1 - don't trip AD lockout on wrong password (#542687, #554351) - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 - fixes gss_krb5_copy_ccache() when SPNEGO is used - move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to the devel subpackage, better lining up with the expected krb5/krb5-appl split in 1.8 - drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already depends on -workstation which also includes them --- .cvsignore | 3 + 2009-003-patch.txt | 27 ---- 2009-004-patch_1.7.txt | 377 -------------------------------------------- krb5-1.7-errs.patch | 13 -- krb5-1.7-exp_warn.patch | 17 ++ krb5-1.7-opte.patch | 14 ++ krb5-1.7-spnego-deleg.patch | 60 ------- krb5.spec | 80 ++++++---- sources | 6 +- 9 files changed, 82 insertions(+), 515 deletions(-) delete mode 100644 2009-003-patch.txt delete mode 100644 2009-004-patch_1.7.txt delete mode 100644 krb5-1.7-errs.patch create mode 100644 krb5-1.7-exp_warn.patch create mode 100644 krb5-1.7-opte.patch delete mode 100644 krb5-1.7-spnego-deleg.patch diff --git a/.cvsignore b/.cvsignore index 998bcd1..a38c156 100644 --- a/.cvsignore +++ b/.cvsignore @@ -28,3 +28,6 @@ krb5-1.6.3-pdf.tar.gz krb5-1.7.tar.gz krb5-1.7.tar.gz.asc krb5-1.7-pdf.tar.gz +krb5-1.7.1.tar.gz +krb5-1.7.1.tar.gz.asc +krb5-1.7.1-pdf.tar.gz diff --git a/2009-003-patch.txt b/2009-003-patch.txt deleted file mode 100644 index 0319cd1..0000000 --- a/2009-003-patch.txt +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index 298e132..12180ff 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) - free(temp_buf); - if (retval) { - /* no match found */ -- kdc_err(kdc_context, retval, 0); -+ kdc_err(kdc_context, retval, "unable to find realm of host"); - goto cleanup; - } - if (realms == 0) { -diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c -index efff818..ef3735a 100644 ---- a/src/lib/kadm5/logger.c -+++ b/src/lib/kadm5/logger.c -@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list - char *cp; - char *syslogp; - -+ if (whoami == NULL || format == NULL) -+ return; -+ - /* Make the header */ - snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); - /* diff --git a/2009-004-patch_1.7.txt b/2009-004-patch_1.7.txt deleted file mode 100644 index df2edca..0000000 --- a/2009-004-patch_1.7.txt +++ /dev/null @@ -1,377 +0,0 @@ -Index: src/lib/crypto/Makefile.in -=================================================================== ---- src/lib/crypto/Makefile.in (revision 23398) -+++ src/lib/crypto/Makefile.in (working copy) -@@ -18,6 +18,7 @@ - $(srcdir)/t_nfold.c \ - $(srcdir)/t_cf2.c \ - $(srcdir)/t_encrypt.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/t_prf.c \ - $(srcdir)/t_prng.c \ - $(srcdir)/t_hmac.c \ -@@ -206,7 +207,7 @@ - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ -@@ -216,6 +217,7 @@ - diff t_prf.output $(srcdir)/t_prf.expected - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 -@@ -249,10 +251,15 @@ - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+ - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_cf2 t_cf2.o t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -Index: src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- src/lib/crypto/arcfour/arcfour.c (revision 23398) -+++ src/lib/crypto/arcfour/arcfour.c (working copy) -@@ -199,6 +199,12 @@ - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: src/lib/crypto/enc_provider/aes.c -=================================================================== ---- src/lib/crypto/enc_provider/aes.c (revision 23398) -+++ src/lib/crypto/enc_provider/aes.c (working copy) -@@ -105,9 +105,11 @@ - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -160,9 +162,9 @@ - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -@@ -208,6 +210,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; - int nblocks = 0, blockno; - size_t input_length, i; -+ struct iov_block_state input_pos, output_pos; - - if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) - abort(); -@@ -224,18 +227,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ enc(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -@@ -288,6 +293,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno, i; - size_t input_length; -+ struct iov_block_state input_pos, output_pos; - - CHECK_SIZES; - -@@ -306,18 +312,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ dec(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -Index: src/lib/crypto/dk/dk_aead.c -=================================================================== ---- src/lib/crypto/dk/dk_aead.c (revision 23398) -+++ src/lib/crypto/dk/dk_aead.c (working copy) -@@ -248,7 +248,7 @@ - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - -- if (ENCRYPT_DATA_IOV(iov)) -+ if (ENCRYPT_IOV(iov)) - cipherlen += iov->data.length; - } - -Index: src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- src/lib/crypto/dk/dk_decrypt.c (revision 23398) -+++ src/lib/crypto/dk/dk_decrypt.c (working copy) -@@ -89,6 +89,12 @@ - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) -Index: src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- src/lib/crypto/raw/raw_decrypt.c (revision 23398) -+++ src/lib/crypto/raw/raw_decrypt.c (working copy) -@@ -34,5 +34,7 @@ - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; - return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: src/lib/crypto/deps -=================================================================== ---- src/lib/crypto/deps (revision 23398) -+++ src/lib/crypto/deps (working copy) -@@ -463,6 +463,16 @@ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -Index: src/lib/crypto/t_short.c -=================================================================== ---- src/lib/crypto/t_short.c (revision 0) -+++ src/lib/crypto/t_short.c (revision 0) -@@ -0,0 +1,126 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ krb5_crypto_iov iov[2]; -+ unsigned int dummy; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, -+ &dummy) == 0) { -+ /* Attempt an IOV stream decryption. */ -+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; -+ iov[0].data = input.ciphertext; -+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[1].data.data = NULL; -+ iov[1].data.length = 0; -+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); -+ check_decrypt_result(ret, len, min_len); -+ } -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -Index: src/lib/crypto/old/old_decrypt.c -=================================================================== ---- src/lib/crypto/old/old_decrypt.c (revision 23398) -+++ src/lib/crypto/old/old_decrypt.c (working copy) -@@ -45,8 +45,10 @@ - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - diff --git a/krb5-1.7-errs.patch b/krb5-1.7-errs.patch deleted file mode 100644 index 5305251..0000000 --- a/krb5-1.7-errs.patch +++ /dev/null @@ -1,13 +0,0 @@ -Type mismatch. RT#6519 -diff -up krb5-1.7/src/lib/krb5/krb/kerrs.c krb5-1.7/src/lib/krb5/krb/kerrs.c ---- krb5-1.7/src/lib/krb5/krb/kerrs.c 2009-06-22 15:01:02.000000000 -0400 -+++ krb5-1.7/src/lib/krb5/krb/kerrs.c 2009-06-22 15:01:06.000000000 -0400 -@@ -108,7 +108,7 @@ krb5_copy_error_message (krb5_context de - krb5int_set_error(&dest_ctx->err, src_ctx->err.code, "%s", - src_ctx->err.msg); - } else { -- krb5int_clear_error(dest_ctx); -+ krb5int_clear_error(&dest_ctx->err); - } - } - diff --git a/krb5-1.7-exp_warn.patch b/krb5-1.7-exp_warn.patch new file mode 100644 index 0000000..1e0743d --- /dev/null +++ b/krb5-1.7-exp_warn.patch @@ -0,0 +1,17 @@ +Don't warn of expiration reported the new way if it's more than a week from +now, for consistency with the code that handles expiration times reported the +old way. + +diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c +--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:12:02.000000000 -0500 ++++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-18 11:11:50.000000000 -0500 +@@ -389,7 +389,8 @@ cleanup: + delta / 86400, ts); + /* ignore an error here */ + /* PROMPTER_INVOCATION */ +- (*prompter)(context, data, 0, banner, 0, 0); ++ if (delta < 86400 * 7) ++ (*prompter)(context, data, 0, banner, 0, 0); + } + } + } diff --git a/krb5-1.7-opte.patch b/krb5-1.7-opte.patch new file mode 100644 index 0000000..538a19e --- /dev/null +++ b/krb5-1.7-opte.patch @@ -0,0 +1,14 @@ +Check opte->flags instead of options->flags, because we know that opte has +been initialized to the library defaults if options was NULL. +diff -up krb5-1.7/src/lib/krb5/krb/gic_pwd.c krb5-1.7/src/lib/krb5/krb/gic_pwd.c +--- krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:52.000000000 -0500 ++++ krb5-1.7/src/lib/krb5/krb/gic_pwd.c 2010-01-15 15:07:56.000000000 -0500 +@@ -200,7 +200,7 @@ krb5_get_init_creds_password(krb5_contex + * to prompt. Prompting is only disabled if the option has been set + * and the value has been set to false. + */ +- if (!(options->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) ++ if (!(opte->flags & KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT)) + goto cleanup; + + /* ok, we have an expired password. Give the user a few chances diff --git a/krb5-1.7-spnego-deleg.patch b/krb5-1.7-spnego-deleg.patch deleted file mode 100644 index 737f897..0000000 --- a/krb5-1.7-spnego-deleg.patch +++ /dev/null @@ -1,60 +0,0 @@ -Punt a set_cred_option() call down to the mechanism for the first -credential that we have whose mechanism implements a set_cred_option() -method. It's not the complete set of changes from 1.7 to trunk, but -it should be enough to make gss_krb5_copy_ccache() work. RT#6594 - -Index: src/lib/gssapi/spnego/gssapiP_spnego.h -=================================================================== ---- src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23481) -+++ src/lib/gssapi/spnego/gssapiP_spnego.h (revision 23482) -@@ -352,6 +352,15 @@ - ); - - OM_uint32 -+spnego_gss_set_cred_option -+( -+ OM_uint32 *minor_status, -+ gss_cred_id_t cred_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value -+); -+ -+OM_uint32 - spnego_gss_set_sec_context_option - ( - OM_uint32 *minor_status, -Index: src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- src/lib/gssapi/spnego/spnego_mech.c -+++ src/lib/gssapi/spnego/spnego_mech.c (revision 23482) -@@ -250,7 +250,7 @@ - spnego_gss_inquire_sec_context_by_oid, /* gss_inquire_sec_context_by_oid */ - NULL, /* gss_inquire_cred_by_oid */ - spnego_gss_set_sec_context_option, /* gss_set_sec_context_option */ -- NULL, /* gssspi_set_cred_option */ -+ spnego_gss_set_cred_option, /* gssspi_set_cred_option */ - NULL, /* gssspi_mech_invoke */ - spnego_gss_wrap_aead, - spnego_gss_unwrap_aead, -@@ -2187,6 +2187,21 @@ - } - - OM_uint32 -+spnego_gss_set_cred_option( -+ OM_uint32 *minor_status, -+ gss_cred_id_t cred_handle, -+ const gss_OID desired_object, -+ const gss_buffer_t value) -+{ -+ OM_uint32 ret; -+ ret = gssspi_set_cred_option(minor_status, -+ cred_handle, -+ desired_object, -+ value); -+ return (ret); -+} -+ -+OM_uint32 - spnego_gss_set_sec_context_option( - OM_uint32 *minor_status, - gss_ctx_id_t *context_handle, diff --git a/krb5.spec b/krb5.spec index 65a38c8..9c912be 100644 --- a/krb5.spec +++ b/krb5.spec @@ -9,10 +9,10 @@ Summary: The Kerberos network authentication system Name: krb5 -Version: 1.7 -Release: 20%{?dist} +Version: 1.7.1 +Release: 1%{?dist} # Maybe we should explode from the now-available-to-everybody tarball instead? -# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar +# http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar Source0: krb5-%{version}.tar.gz Source1: krb5-%{version}.tar.gz.asc Source2: kpropd.init @@ -78,14 +78,12 @@ Patch72: krb5-1.6.3-ftp_fdleak.patch Patch73: krb5-1.6.3-ftp_glob_runique.patch Patch79: krb5-trunk-ftp_mget_case.patch Patch86: krb5-1.7-time_t_size.patch -Patch87: krb5-1.7-errs.patch Patch88: krb5-1.7-sizeof.patch Patch89: krb5-1.7-largefile.patch Patch90: krb5-1.7-openssl-1.0.patch -Patch91: krb5-1.7-spnego-deleg.patch -Patch92: http://web.mit.edu/kerberos/advisories/2009-003-patch.txt Patch93: krb5-1.7-create_on_load.patch -Patch94: http://web.mit.edu/kerberos/advisories/2009-004-patch_1.7.txt +Patch95: krb5-1.7-opte.patch +Patch96: krb5-1.7-exp_warn.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -224,10 +222,34 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog -* Fri Jan 22 2010 Nalin Dahyabhai - 1.7-20 +* Wed Feb 3 2010 Nalin Dahyabhai - 1.7.1-1 +- update to 1.7.1 + - don't trip AD lockout on wrong password (#542687, #554351) + - incorporates fixes for CVE-2009-4212 and CVE-2009-3295 + - fixes gss_krb5_copy_ccache() when SPNEGO is used +- move sim_client/sim_server, gss-client/gss-server, uuclient/uuserver to + the devel subpackage, better lining up with the expected krb5/krb5-appl + split in 1.8 +- drop kvno,kadmin,k5srvutil,ktutil from -workstation-servers, as it already + depends on -workstation which also includes them + +* Mon Jan 25 2010 Nalin Dahyabhai - 1.7-23 +- tighten up default permissions on kdc.conf and kadm5.acl (#558343) + +* Fri Jan 22 2010 Nalin Dahyabhai - 1.7-22 - use portreserve correctly -- portrelease takes the basename of the file whose entries should be released, so we need three files, not one +* Mon Jan 18 2010 Nalin Dahyabhai - 1.7-21 +- suppress warnings of impending password expiration if expiration is more than + seven days away when the KDC reports it via the last-req field, just as we + already do when it reports expiration via the key-expiration field (#556495) +- link with libtinfo rather than libncurses, when we can, in future RHEL + +* Fri Jan 15 2010 Nalin Dahyabhai - 1.7-20 +- krb5_get_init_creds_password: check opte->flags instead of options->flags + when checking whether or not we get to use the prompter callback (#555875) + * Thu Jan 14 2010 Nalin Dahyabhai - 1.7-19 - use portreserve to make sure the KDC can always bind to the kerberos-iv port, kpropd can always bind to the krb5_prop port, and that kadmind can @@ -1554,14 +1576,12 @@ popd %patch73 -p1 -b .ftp_glob_runique %patch79 -p0 -b .ftp_mget_case %patch86 -p1 -b .time_t_size -%patch87 -p1 -b .errs %patch88 -p1 -b .sizeof %patch89 -p1 -b .largefile %patch90 -p0 -b .openssl-1.0 -%patch91 -p0 -b .spnego-deleg -%patch92 -p1 -b .2009-003 %patch93 -p1 -b .create_on_load -%patch94 -p0 -b .2009-004 +%patch95 -p1 -b .opte +%patch96 -p1 -b .exp_warn gzip doc/*.ps sed -i -e '1s!\[twoside\]!!;s!%\(\\usepackage{hyperref}\)!\1!' doc/api/library.tex @@ -1621,7 +1641,7 @@ CPPFLAGS="`echo $DEFINES $INCLUDES`" CC="%{__cc}" \ CFLAGS="$CFLAGS" \ CPPFLAGS="$CPPFLAGS" \ -%if 0%{?fedora} >= 7 +%if 0%{?fedora} >= 7 || 0%{?rhel} >= 6 SS_LIB="-lss -ltinfo" \ %else SS_LIB="-lss -lncurses" \ @@ -1676,8 +1696,8 @@ gzip $RPM_BUILD_ROOT%{_infodir}/*.info* # Sample KDC config files. mkdir -p $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc -install -pm 644 $RPM_SOURCE_DIR/kdc.conf $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ -install -pm 644 $RPM_SOURCE_DIR/kadm5.acl $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ +install -pm 600 $RPM_SOURCE_DIR/kdc.conf $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ +install -pm 600 $RPM_SOURCE_DIR/kadm5.acl $RPM_BUILD_ROOT%{_var}/kerberos/krb5kdc/ # Login-time scriptlets to fix the PATH variable. mkdir -p $RPM_BUILD_ROOT/etc/profile.d @@ -1902,11 +1922,6 @@ exit 0 %{krb5prefix}/bin/telnet %{krb5prefix}/man/man1/telnet.1* -# Protocol test clients. -%{krb5prefix}/bin/sim_client -%{krb5prefix}/bin/gss-client -%{krb5prefix}/bin/uuclient - %files workstation-servers %defattr(-,root,root) %docdir %{krb5prefix}/man @@ -1935,16 +1950,6 @@ exit 0 %{krb5prefix}/sbin/login.krb5 %{krb5prefix}/man/man8/login.krb5.8* -# Tools you're likely to need if you're running these app servers. -%{krb5prefix}/bin/kvno -%{krb5prefix}/man/man1/kvno.1* -%{krb5prefix}/bin/kadmin -%{krb5prefix}/man/man1/kadmin.1* -%{krb5prefix}/bin/k5srvutil -%{krb5prefix}/man/man1/k5srvutil.1* -%{krb5prefix}/bin/ktutil -%{krb5prefix}/man/man1/ktutil.1* - # Application servers. %{krb5prefix}/sbin/ftpd %{krb5prefix}/man/man8/ftpd.8* @@ -1955,11 +1960,6 @@ exit 0 %{krb5prefix}/sbin/telnetd %{krb5prefix}/man/man8/telnetd.8* -# Protocol test servers. -%{krb5prefix}/sbin/sim_server -%{krb5prefix}/sbin/gss-server -%{krb5prefix}/sbin/uuserver - %files server %defattr(-,root,root) %docdir %{krb5prefix}/man @@ -2117,3 +2117,13 @@ exit 0 %{krb5prefix}/man/man1/sclient.1* %{krb5prefix}/man/man8/sserver.8* %{krb5prefix}/sbin/sserver + +# Protocol test clients. +%{krb5prefix}/bin/sim_client +%{krb5prefix}/bin/gss-client +%{krb5prefix}/bin/uuclient + +# Protocol test servers. +%{krb5prefix}/sbin/sim_server +%{krb5prefix}/sbin/gss-server +%{krb5prefix}/sbin/uuserver diff --git a/sources b/sources index 36c33fb..b1436e8 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -7ef90ed2727a64f4526cfff253eb1f6d krb5-1.7.tar.gz -d4609117653b4e1656a9025f7720f44e krb5-1.7.tar.gz.asc -9b6544a358108c5b2392ce86df7864f0 krb5-1.7-pdf.tar.gz +9d79efba57423008e65efc5ff75405d6 krb5-1.7.1.tar.gz +2197cc65ed90f00f92e5a27bd514b53b krb5-1.7.1.tar.gz.asc +309139729539cf5ef403bb0dc7ae455b krb5-1.7.1-pdf.tar.gz -- cgit