diff options
author | Tom Canich <tcanich@canich.net> | 2010-05-12 23:32:21 +0200 |
---|---|---|
committer | David Somero <xgizzmo@slackbuilds.org> | 2010-05-12 23:32:21 +0200 |
commit | 8631a96ddfe028076b77b0cdd84244faa78eca6b (patch) | |
tree | 68ea76f364c6454feae0de6f9d81338c79d013dd /network/krb5 | |
parent | 43858c38016b71d1112b70f70a4c37755140af55 (diff) |
network/krb5: Added to 12.2 repository
Diffstat (limited to 'network/krb5')
-rw-r--r-- | network/krb5/EXPORT | 13 | ||||
-rw-r--r-- | network/krb5/README | 5 | ||||
-rw-r--r-- | network/krb5/README.krb5 | 52 | ||||
-rw-r--r-- | network/krb5/config/kerberos.csh | 6 | ||||
-rw-r--r-- | network/krb5/config/kerberos.sh | 4 | ||||
-rw-r--r-- | network/krb5/krb5.SlackBuild | 114 | ||||
-rw-r--r-- | network/krb5/krb5.info | 7 | ||||
-rw-r--r-- | network/krb5/patches/2008-001-patch.txt | 337 | ||||
-rw-r--r-- | network/krb5/patches/2008-002-patch.txt | 72 | ||||
-rw-r--r-- | network/krb5/patches/2009-001-patch.txt | 187 | ||||
-rw-r--r-- | network/krb5/patches/2009-002-patch.txt | 35 | ||||
-rw-r--r-- | network/krb5/slack-desc | 19 |
12 files changed, 851 insertions, 0 deletions
diff --git a/network/krb5/EXPORT b/network/krb5/EXPORT new file mode 100644 index 000000000000..d868a9e27e65 --- /dev/null +++ b/network/krb5/EXPORT @@ -0,0 +1,13 @@ +EXPORT LAW WARNINGS: + + * Export of this software from the United States of America may be +subject to the Export Administration Regulations of the United States +Department of Commerce, currently (October 2003) codified as Title 15 +CFR Parts 730-774. + * You are responsible for complying with all applicable export +regulations, including obtaining an export license if required. + * You may not download this software if you are located in, or are +a citizen or national of, any country for which the US government +prohibits the export of encryption source code, currently (October +2003) Cuba, Iran, Iraq, Libya, North Korea, Sudan, or Syria. (15 CFR +Sections 734(b)(3), 740.13(e)(4)) diff --git a/network/krb5/README b/network/krb5/README new file mode 100644 index 000000000000..cf7ab7dde33f --- /dev/null +++ b/network/krb5/README @@ -0,0 +1,5 @@ +Kerberos is a network authentication protocol. It is designed to +provide strong authentication for client/server applications by using +secret-key cryptography. A free implementation of this protocol is +available from the Massachusetts Institute of Technology. Kerberos is +available in many commercial products as well. diff --git a/network/krb5/README.krb5 b/network/krb5/README.krb5 new file mode 100644 index 000000000000..72c522b6a7fe --- /dev/null +++ b/network/krb5/README.krb5 @@ -0,0 +1,52 @@ +Kerberos is a network authentication protocol. It is designed to +provide strong authentication for client/server applications by using +secret-key cryptography. A free implementation of this protocol is +available from the Massachusetts Institute of Technology. Kerberos is +available in many commercial products as well. + +The Internet is an insecure place. Many of the protocols used in the +Internet do not provide any security. Tools to "sniff" passwords off +of the network are in common use by malicious hackers. Thus, +applications which send an unencrypted password over the network are +extremely vulnerable. Worse yet, other client/server applications rely +on the client program to be "honest" about the identity of the user +who is using it. Other applications rely on the client to restrict its +activities to those which it is allowed to do, with no other +enforcement by the server. + +Some sites attempt to use firewalls to solve their network security +problems. Unfortunately, firewalls assume that "the bad guys" are on +the outside, which is often a very bad assumption. Most of the really +damaging incidents of computer crime are carried out by insiders. +Firewalls also have a significant disadvantage in that they restrict +how your users can use the Internet. (After all, firewalls are simply +a less extreme example of the dictum that there is nothing more secure +then a computer which is not connected to the network --- and powered +off!) In many places, these restrictions are simply unrealistic and +unacceptable. + +Kerberos was created by MIT as a solution to these network security +problems. The Kerberos protocol uses strong cryptography so that a +client can prove its identity to a server (and vice versa) across an +insecure network connection. After a client and server has used +Kerberos to prove their identity, they can also encrypt all of their +communications to assure privacy and data integrity as they go about +their business. + +Kerberos is freely available from MIT, under copyright permissions +very similar those used for the BSD operating system and the X Window +System. MIT provides Kerberos in source form so that anyone who wishes +to use it may look over the code for themselves and assure themselves +that the code is trustworthy. In addition, for those who prefer to +rely on a professionally supported product, Kerberos is available as a +product from many different vendors. + +In summary, Kerberos is a solution to your network security problems. +It provides the tools of authentication and strong cryptography over +the network to help you secure your information systems across your +entire enterprise. We hope you find Kerberos as useful as it has been +to us. At MIT, Kerberos has been invaluable to our +Information/Technology architecture. + +Additional information is available from the MIT Kerberos website: +http://web.mit.edu/kerberos/ diff --git a/network/krb5/config/kerberos.csh b/network/krb5/config/kerberos.csh new file mode 100644 index 000000000000..97c16debce1e --- /dev/null +++ b/network/krb5/config/kerberos.csh @@ -0,0 +1,6 @@ +#!/bin/csh +setenv PATH ${PATH}:/usr/kerberos/bin +setenv MANPATH ${MANPATH}:/usr/kerberosman/ +if ( "$uid" == "0") then + setenv PATH ${PATH}:/usr/kerberos/sbin +endif diff --git a/network/krb5/config/kerberos.sh b/network/krb5/config/kerberos.sh new file mode 100644 index 000000000000..d52b73439dc3 --- /dev/null +++ b/network/krb5/config/kerberos.sh @@ -0,0 +1,4 @@ +#!/bin/sh +PATH="$PATH:/usr/kerberos/bin" +MANPATH="$MANPATH:/usr/kerberos/man" +[ "$(id -u)" = "0" ] && PATH="$PATH:/usr/kerberos/sbin" diff --git a/network/krb5/krb5.SlackBuild b/network/krb5/krb5.SlackBuild new file mode 100644 index 000000000000..80d7d5a89969 --- /dev/null +++ b/network/krb5/krb5.SlackBuild @@ -0,0 +1,114 @@ +#!/bin/sh + +# Slackware build script for krb5 + +# Copyright (c) 2009, Tom Canich, State College, Pennsylvania, USA +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials +# provided with the distribution. +# * Neither the name of Tom Canich nor the names of other contributors +# may be used to endorse or promote products derived from this +# software without specific prior written written permission. +# +# THIS SOFTWARE IS PROVIDED BY Tom Canich ''AS IS'' AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR +# ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER +# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +PRGNAM=krb5 +VERSION=${VERSION:-1.6.3} +ARCH=${ARCH:-i486} +BUILD=${BUILD:-1} +TAG=${TAG:-_SBo} + +CWD=$(pwd) +TMP=${TMP:-/tmp/SBo} +PKG=$TMP/package-$PRGNAM +OUTPUT=${OUTPUT:-/tmp} + +if [ "$ARCH" = "i486" ]; then + SLKCFLAGS="-O2 -march=i486 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "i686" ]; then + SLKCFLAGS="-O2 -march=i686 -mtune=i686" + LIBDIRSUFFIX="" +elif [ "$ARCH" = "x86_64" ]; then + SLKCFLAGS="-O2 -fPIC" + LIBDIRSUFFIX="64" +fi + +set -e + +rm -rf $PKG +mkdir -p $TMP $PKG $OUTPUT +cd $TMP +rm -rf $PRGNAM-$VERSION +rm -f $TMP/$PRGNAM-$VERSION.tar.gz{,.asc} +tar xvf $CWD/$PRGNAM-$VERSION-signed.tar -C $TMP +tar xvf $TMP/$PRGNAM-$VERSION.tar.gz +cd $PRGNAM-$VERSION/src +patch -p0 -d .. < $CWD/patches/2008-001-patch.txt +patch -p0 -d .. < $CWD/patches/2008-002-patch.txt +patch -p0 -d .. < $CWD/patches/2009-001-patch.txt +patch -p0 -d .. < $CWD/patches/2009-002-patch.txt + +CFLAGS="$SLKCFLAGS" \ +CXXFLAGS="$SLKCFLAGS" \ +./configure \ + --prefix=/usr/kerberos \ + --sysconfdir=/etc \ + --localstatedir=/var \ + --mandir=/usr/kerberos/man \ + --without-krb4 \ + --enable-dns-for-realm \ + --with-ldap \ + --build=$ARCH-slackware-linux + +make +make install DESTDIR=$PKG + +mkdir -p $PKG/etc/profile.d/ +cat $CWD/config/kerberos.sh > $PKG/etc/profile.d/kerberos.sh +cat $CWD/config/kerberos.csh > $PKG/etc/profile.d/kerberos.csh +chmod 0755 $PKG/etc/profile.d/* + +( cd $PKG + find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \ + xargs strip --strip-unneeded 2> /dev/null || true + find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \ + xargs strip --strip-unneeded 2> /dev/null +) + +( cd $PKG/usr/kerberos/man + find . -type f -exec gzip -9 {} \; + for i in $( find . -type l ) ; do ln -s $( readlink $i ).gz $i.gz ; rm $i ; done +) + +mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION +cp -a \ + $CWD/README $CWD/README.krb5 $CWD/EXPORT $CWD/patches \ + $PKG/usr/doc/$PRGNAM-$VERSION +cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild +chown -R root:root $PKG/usr/doc +find $PKG/usr/doc -type f -exec chmod 0644 {} \; + +mkdir -p $PKG/install +cat $CWD/slack-desc > $PKG/install/slack-desc + +cd $PKG +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz diff --git a/network/krb5/krb5.info b/network/krb5/krb5.info new file mode 100644 index 000000000000..bace9977ec5b --- /dev/null +++ b/network/krb5/krb5.info @@ -0,0 +1,7 @@ +PRGNAM="krb5" +VERSION="1.6.3" +HOMEPAGE="http://web.mit.edu/kerberos/" +DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.3-signed.tar" +MD5SUM="2dc1307686eb1c2bf1ab08ea805dad46" +MAINTAINER="Tom Canich" +EMAIL="tcanich@canich.net" diff --git a/network/krb5/patches/2008-001-patch.txt b/network/krb5/patches/2008-001-patch.txt new file mode 100644 index 000000000000..b26b9fddcf90 --- /dev/null +++ b/network/krb5/patches/2008-001-patch.txt @@ -0,0 +1,337 @@ +Index: src/kdc/dispatch.c +=================================================================== +--- src/kdc/dispatch.c (revision 20192) ++++ src/kdc/dispatch.c (working copy) +@@ -1,7 +1,7 @@ + /* + * kdc/dispatch.c + * +- * Copyright 1990 by the Massachusetts Institute of Technology. ++ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. +@@ -107,7 +107,7 @@ + retval = KRB5KRB_AP_ERR_MSG_TYPE; + #ifndef NOCACHE + /* put the response into the lookaside buffer */ +- if (!retval) ++ if (!retval && *response != NULL) + kdc_insert_lookaside(pkt, *response); + #endif + +Index: src/kdc/kerberos_v4.c +=================================================================== +--- src/kdc/kerberos_v4.c (revision 20192) ++++ src/kdc/kerberos_v4.c (working copy) +@@ -1,7 +1,7 @@ + /* + * kdc/kerberos_v4.c + * +- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute ++ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute + * of Technology. + * All Rights Reserved. + * +@@ -87,11 +87,6 @@ + #define MSB_FIRST 0 /* 68000, IBM RT/PC */ + #define LSB_FIRST 1 /* Vax, PC8086 */ + +-int f; +- +-/* XXX several files in libkdb know about this */ +-char *progname; +- + #ifndef BACKWARD_COMPAT + static Key_schedule master_key_schedule; + static C_Block master_key; +@@ -143,10 +138,8 @@ + #include "com_err.h" + #include "extern.h" /* to pick up master_princ */ + +-static krb5_data *response; +- +-void kerberos_v4 (struct sockaddr_in *, KTEXT); +-void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); ++static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); ++static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); + static int set_tgtkey (char *, krb5_kvno, krb5_boolean); + + /* Attributes converted from V5 to V4 - internal representation */ +@@ -262,12 +255,12 @@ + (void) klog(L_KRB_PERR, "V4 request too long."); + return KRB5KRB_ERR_FIELD_TOOLONG; + } ++ memset( &v4_pkt, 0, sizeof(v4_pkt)); + v4_pkt.length = pkt->length; + v4_pkt.mbz = 0; + memcpy( v4_pkt.dat, pkt->data, pkt->length); + +- kerberos_v4( &client_sockaddr, &v4_pkt); +- *resp = response; ++ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); + return(retval); + } + +@@ -300,19 +293,20 @@ + } + + static +-int krb4_sendto(int s, const char *msg, int len, int flags, +- const struct sockaddr *to, int to_len) ++krb5_data *make_response(const char *msg, int len) + { ++ krb5_data *response; ++ + if ( !(response = (krb5_data *) malloc( sizeof *response))) { +- return ENOMEM; ++ return 0; + } + if ( !(response->data = (char *) malloc( len))) { + krb5_free_data(kdc_context, response); +- return ENOMEM; ++ return 0; + } + response->length = len; + memcpy( response->data, msg, len); +- return( 0); ++ return response; + } + static void + hang(void) +@@ -586,7 +580,7 @@ + *cp = 0; + } + +-void ++static krb5_data * + kerberos_v4(struct sockaddr_in *client, KTEXT pkt) + { + static KTEXT_ST rpkt_st; +@@ -599,8 +593,8 @@ + KTEXT auth = &auth_st; + AUTH_DAT ad_st; + AUTH_DAT *ad = &ad_st; ++ krb5_data *response = 0; + +- + static struct in_addr client_host; + static int msg_byte_order; + static int swap_bytes; +@@ -637,8 +631,7 @@ + inet_ntoa(client_host)); + /* send an error reply */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); + } + + /* check packet version */ +@@ -648,8 +641,7 @@ + KRB_PROT_VERSION, req_version, 0); + /* send an error reply */ + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); + } + msg_byte_order = req_msg_type & 1; + +@@ -707,10 +699,10 @@ + + if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, + &a_name_data, &k5key, 0, &ck5life))) { +- kerb_err_reply(client, pkt, i, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, i, "check_princ failed"); + a_name_data.key_low = a_name_data.key_high = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* don't use k5key for client */ + krb5_free_keyblock_contents(kdc_context, &k5key); +@@ -722,11 +714,11 @@ + /* this does all the checking */ + if ((i = check_princ(service, instance, lifetime, + &s_name_data, &k5key, 1, &sk5life))) { +- kerb_err_reply(client, pkt, i, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, i, "check_princ failed"); + a_name_data.key_high = a_name_data.key_low = 0; + s_name_data.key_high = s_name_data.key_low = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* Bound requested lifetime with service and user */ + v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); +@@ -797,8 +789,7 @@ + rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, + req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, + a_name_data.key_version, ciph); +- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); ++ response = make_response((char *) rpkt->dat, rpkt->length); + memset(&a_name_data, 0, sizeof(a_name_data)); + memset(&s_name_data, 0, sizeof(s_name_data)); + break; +@@ -824,9 +815,8 @@ + lt = klog(L_KRB_PERR, + "APPL request with realm length too long from %s", + inet_ntoa(client_host)); +- kerb_err_reply(client, pkt, RD_AP_INCON, +- "realm length too long"); +- return; ++ return kerb_err_reply(client, pkt, RD_AP_INCON, ++ "realm length too long"); + } + + auth->length += (int) *(pkt->dat + auth->length) + +@@ -835,9 +825,8 @@ + lt = klog(L_KRB_PERR, + "APPL request with funky tkt or req_id length from %s", + inet_ntoa(client_host)); +- kerb_err_reply(client, pkt, RD_AP_INCON, +- "funky tkt or req_id length"); +- return; ++ return kerb_err_reply(client, pkt, RD_AP_INCON, ++ "funky tkt or req_id length"); + } + + memcpy(auth->dat, pkt->dat, auth->length); +@@ -848,18 +837,16 @@ + if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { + lt = klog(L_ERR_UNK, + "Cross realm ticket from %s denied by policy,", tktrlm); +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + if (set_tgtkey(tktrlm, kvno, 0)) { +- lt = klog(L_ERR_UNK, ++ lt = klog(L_ERR_UNK, + "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); +@@ -869,9 +856,8 @@ + "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", + tktrlm, kvno, inet_ntoa(client_host)); + /* no better error code */ +- kerb_err_reply(client, pkt, +- KERB_ERR_PRINCIPAL_UNKNOWN, lt); +- return; ++ return kerb_err_reply(client, pkt, ++ KERB_ERR_PRINCIPAL_UNKNOWN, lt); + } + kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, + ad, 0); +@@ -881,8 +867,7 @@ + klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", + inet_ntoa(client_host), krb_get_err_text(kerno)); + req_name_ptr = req_inst_ptr = req_realm_ptr = ""; +- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); +- return; ++ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); + } + ptr = (char *) pkt->dat + auth->length; + +@@ -904,22 +889,21 @@ + req_realm_ptr = ad->prealm; + + if (strcmp(ad->prealm, tktrlm)) { +- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, +- "Can't hop realms"); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ++ "Can't hop realms"); + } + if (!strcmp(service, "changepw")) { +- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, +- "Can't authorize password changed based on TGT"); +- return; ++ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, ++ "Can't authorize password changed based on TGT"); + } + kerno = check_princ(service, instance, req_life, + &s_name_data, &k5key, 1, &sk5life); + if (kerno) { +- kerb_err_reply(client, pkt, kerno, "check_princ failed"); ++ response = kerb_err_reply(client, pkt, kerno, ++ "check_princ failed"); + s_name_data.key_high = s_name_data.key_low = 0; + krb5_free_keyblock_contents(kdc_context, &k5key); +- return; ++ return response; + } + /* Bound requested lifetime with service and user */ + v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); +@@ -975,8 +959,7 @@ + rpkt = create_auth_reply(ad->pname, ad->pinst, + ad->prealm, time_ws, + 0, 0, 0, ciph); +- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); ++ response = make_response((char *) rpkt->dat, rpkt->length); + memset(&s_name_data, 0, sizeof(s_name_data)); + break; + } +@@ -1001,6 +984,7 @@ + break; + } + } ++ return response; + } + + +@@ -1010,7 +994,7 @@ + * client. + */ + +-void ++static krb5_data * + kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) + { + static KTEXT_ST e_pkt_st; +@@ -1021,9 +1005,7 @@ + strncat(e_msg, string, sizeof(e_msg) - 1 - 19); + cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, + req_time_ws, err, e_msg); +- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, +- (struct sockaddr *) client, sizeof (struct sockaddr_in)); +- ++ return make_response((char *) e_pkt->dat, e_pkt->length); + } + + static int +Index: src/kdc/network.c +=================================================================== +--- src/kdc/network.c (revision 20192) ++++ src/kdc/network.c (working copy) +@@ -1,7 +1,7 @@ + /* + * kdc/network.c + * +- * Copyright 1990,2000 by the Massachusetts Institute of Technology. ++ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. +@@ -747,6 +747,8 @@ + com_err(prog, retval, "while dispatching (udp)"); + return; + } ++ if (response == NULL) ++ return; + cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, + (struct sockaddr *)&saddr, saddr_len); + if (cc == -1) { diff --git a/network/krb5/patches/2008-002-patch.txt b/network/krb5/patches/2008-002-patch.txt new file mode 100644 index 000000000000..b2bb46b65116 --- /dev/null +++ b/network/krb5/patches/2008-002-patch.txt @@ -0,0 +1,72 @@ +--- src/lib/rpc/svc.c (revision 1666) ++++ src/lib/rpc/svc.c (local) +@@ -109,15 +109,17 @@ + if (sock < FD_SETSIZE) { + xports[sock] = xprt; + FD_SET(sock, &svc_fdset); ++ if (sock > svc_maxfd) ++ svc_maxfd = sock; + } + #else + if (sock < NOFILE) { + xports[sock] = xprt; + svc_fds |= (1 << sock); ++ if (sock > svc_maxfd) ++ svc_maxfd = sock; + } + #endif /* def FD_SETSIZE */ +- if (sock > svc_maxfd) +- svc_maxfd = sock; + } + + /* + +--- src/lib/rpc/svc_tcp.c (revision 1666) ++++ src/lib/rpc/svc_tcp.c (local) +@@ -54,6 +54,14 @@ + extern errno; + */ + ++#ifndef FD_SETSIZE ++#ifdef NBBY ++#define NOFILE (sizeof(int) * NBBY) ++#else ++#define NOFILE (sizeof(int) * 8) ++#endif ++#endif ++ + /* + * Ops vector for TCP/IP based rpc service handle + */ +@@ -215,6 +223,19 @@ + register SVCXPRT *xprt; + register struct tcp_conn *cd; + ++#ifdef FD_SETSIZE ++ if (fd >= FD_SETSIZE) { ++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); ++ xprt = NULL; ++ goto done; ++ } ++#else ++ if (fd >= NOFILE) { ++ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); ++ xprt = NULL; ++ goto done; ++ } ++#endif + xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); + if (xprt == (SVCXPRT *)NULL) { + (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); +@@ -271,6 +292,10 @@ + * make a new transporter (re-uses xprt) + */ + xprt = makefd_xprt(sock, r->sendsize, r->recvsize); ++ if (xprt == NULL) { ++ close(sock); ++ return (FALSE); ++ } + xprt->xp_raddr = addr; + xprt->xp_addrlen = len; + xprt->xp_laddr = laddr; + diff --git a/network/krb5/patches/2009-001-patch.txt b/network/krb5/patches/2009-001-patch.txt new file mode 100644 index 000000000000..7485169ae42e --- /dev/null +++ b/network/krb5/patches/2009-001-patch.txt @@ -0,0 +1,187 @@ +--- src/lib/gssapi/spnego/spnego_mech.c ++++ src/lib/gssapi/spnego/spnego_mech.c +@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const; + + /* der routines defined in libgss */ + extern unsigned int gssint_der_length_size(OM_uint32); +-extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); +-extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); ++extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); ++extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); + + + /* private routines for spnego_mechanism */ +@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct, + } + cleanup: + if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { +- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, ++ tmpret = make_spnego_tokenTarg_msg(negState, ++ sc ? sc->internal_mech : GSS_C_NO_OID, + &mechtok_out, mic_out, + return_token, + output_token); +@@ -1802,22 +1803,16 @@ static gss_buffer_t + get_input_token(unsigned char **buff_in, unsigned int buff_length) + { + gss_buffer_t input_token; +- unsigned int bytes; ++ unsigned int len; + +- if (**buff_in != OCTET_STRING) ++ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) + return (NULL); + +- (*buff_in)++; + input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); +- + if (input_token == NULL) + return (NULL); + +- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); +- if ((int)input_token->length == -1) { +- free(input_token); +- return (NULL); +- } ++ input_token->length = len; + input_token->value = malloc(input_token->length); + + if (input_token->value == NULL) { +@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, + { + gss_OID_set returned_mechSet; + OM_uint32 major_status; +- OM_uint32 length; +- OM_uint32 bytes; ++ int length; ++ unsigned int bytes; + OM_uint32 set_length; + unsigned char *start; + int i; +@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, + (*buff_in)++; + + length = gssint_get_der_length(buff_in, buff_length, &bytes); ++ if (length < 0 || buff_length - bytes < (unsigned int)length) ++ return NULL; + + major_status = gss_create_empty_oid_set(minor_status, + &returned_mechSet); + if (major_status != GSS_S_COMPLETE) + return (NULL); + +- for (set_length = 0, i = 0; set_length < length; i++) { ++ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { + gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, + buff_length - (*buff_in - start)); +- if (temp != NULL) { +- major_status = gss_add_oid_set_member(minor_status, +- temp, &returned_mechSet); +- if (major_status == GSS_S_COMPLETE) { ++ if (temp == NULL) ++ break; ++ ++ major_status = gss_add_oid_set_member(minor_status, ++ temp, &returned_mechSet); ++ if (major_status == GSS_S_COMPLETE) { + set_length += returned_mechSet->elements[i].length +2; + generic_gss_release_oid(minor_status, &temp); +- } + } + } + +@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status, + return GSS_S_DEFECTIVE_TOKEN; + if (*ptr++ == SEQUENCE) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + } + if (REMAIN < 1) +@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status, + + if (tag == CONTEXT) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + if (g_get_tag_and_length(&ptr, ENUMERATED, +@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x01)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); +@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x02)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *responseToken = get_input_token(&ptr, REMAIN); +@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status, + } + if (tag == (CONTEXT | 0x03)) { + tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); +- if (tmplen < 0) ++ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) + return GSS_S_DEFECTIVE_TOKEN; + + *mechListMIC = get_input_token(&ptr, REMAIN); +@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, + + if (outbuf == GSS_C_NO_BUFFER) + return (GSS_S_DEFECTIVE_TOKEN); ++ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) ++ return (GSS_S_DEFECTIVE_TOKEN); + + outbuf->length = 0; + outbuf->value = NULL; +@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag, + &encoded_len); + if (tmplen < 0) { + ret = -1; +- } else if (tmplen > buflen - (ptr - *buf)) { ++ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { + ret = -1; + } else + ret = 0; +--- src/lib/krb5/asn.1/asn1buf.c ++++ src/lib/krb5/asn.1/asn1buf.c +@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code) + + asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) + { ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + subbuf->base = subbuf->next = buf->next; + if (!indef) { ++ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; + subbuf->bound = subbuf->base + length - 1; +- if (subbuf->bound > buf->bound) +- return ASN1_OVERRUN; + } else /* constructed indefinite */ + subbuf->bound = buf->bound; + return 0; +@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len, + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; +@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len, + { + int i; + ++ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; + if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; + if (len == 0) { + *s = 0; diff --git a/network/krb5/patches/2009-002-patch.txt b/network/krb5/patches/2009-002-patch.txt new file mode 100644 index 000000000000..49bf29f07cd9 --- /dev/null +++ b/network/krb5/patches/2009-002-patch.txt @@ -0,0 +1,35 @@ +--- src/lib/krb5/asn.1/asn1_decode.c ++++ src/lib/krb5/asn.1/asn1_decode.c +@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) + + if(length != 15) return ASN1_BAD_LENGTH; + retval = asn1buf_remove_charstring(buf,15,&s); ++ if (retval) return retval; + /* Time encoding: YYYYMMDDhhmmssZ */ + if(s[14] != 'Z') { + free(s); +--- src/tests/asn.1/krb5_decode_test.c ++++ src/tests/asn.1/krb5_decode_test.c +@@ -485,6 +485,22 @@ int main(argc, argv) + ktest_destroy_keyblock(&(ref.subkey)); + ref.seq_number = 0; + decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); ++ ++ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); ++ if (retval) { ++ com_err("krb5_decode_test", retval, "while parsing"); ++ exit(1); ++ } ++ retval = decode_krb5_ap_rep_enc_part(&code, &var); ++ if (retval != ASN1_OVERRUN) { ++ printf("ERROR: "); ++ } else { ++ printf("OK: "); ++ } ++ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); ++ krb5_free_data_contents(test_context, &code); ++ krb5_free_ap_rep_enc_part(test_context, var); ++ + ktest_empty_ap_rep_enc_part(&ref); + } + diff --git a/network/krb5/slack-desc b/network/krb5/slack-desc new file mode 100644 index 000000000000..5ddc92189c46 --- /dev/null +++ b/network/krb5/slack-desc @@ -0,0 +1,19 @@ +# HOW TO EDIT THIS FILE: +# The "handy ruler" below makes it easier to edit a package description. Line +# up the first '|' above the ':' following the base package name, and the '|' +# on the right side marks the last column you can put a character in. You must +# make exactly 11 lines for the formatting to be correct. It's also +# customary to leave one space after the ':'. + + |-----handy-ruler--------------------------------------------------------| +krb5: krb5 (network authentication protocol) +krb5: +krb5: Kerberos is a network authentication protocol. It is designed to +krb5: provide strong authentication for client/server applications by using +krb5: secret-key cryptography. A free implementation of this protocol is +krb5: available from the Massachusetts Institute of Technology. Kerberos is +krb5: available in many commercial products as well. +krb5: +krb5: Homepage: http://web.mit.edu/kerberos/ +krb5: +krb5: |