Hello community, here is the log from the commit of package krb5 checked in at Thu Aug 9 20:01:30 CEST 2007. -------- --- krb5/krb5.changes 2007-07-12 17:26:39.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5.changes 2007-08-07 12:15:15.012869000 +0200 @@ -1,0 +2,13 @@ +Tue Aug 7 11:56:41 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + +------------------------------------------------------------------- --- krb5/krb5-plugins.changes 2007-07-12 17:26:39.000000000 +0200 +++ /mounts/work_src_done/STABLE/krb5/krb5-plugins.changes 2007-08-07 12:15:15.022862000 +0200 @@ -1,0 +2,13 @@ +Tue Aug 7 11:59:05 CEST 2007 - mc@suse.de + +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. + +------------------------------------------------------------------- New: ---- krb5-1.6.2-post.dif ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ krb5-doc.spec ++++++ --- /var/tmp/diff_new_pack.q17291/_old 2007-08-09 20:00:34.000000000 +0200 +++ /var/tmp/diff_new_pack.q17291/_new 2007-08-09 20:00:34.000000000 +0200 @@ -13,7 +13,7 @@ Name: krb5-doc BuildRequires: ghostscript-library latex2html texlive Version: 1.6.2 -Release: 1 +Release: 12 %define srcRoot krb5-1.6.2 Summary: MIT Kerberos5 Implementation--Documentation License: X11/MIT @@ -27,10 +27,10 @@ BuildArchitectures: noarch %description -Kerberos V5 is a trusted-third-party network authentication system, -which can improve your network's security by eliminating the insecure -practice of clear text passwords. This package includes extended -documentation for MIT Kerberos. +Kerberos V5 is a trusted-third-party network authentication +system,which can improve your network's security by eliminating the +insecurepractice of clear text passwords. This package includes +extended documentation for MIT Kerberos. ++++++ krb5-plugins.spec ++++++ --- /var/tmp/diff_new_pack.q17291/_old 2007-08-09 20:00:34.000000000 +0200 +++ /var/tmp/diff_new_pack.q17291/_new 2007-08-09 20:00:34.000000000 +0200 @@ -13,7 +13,7 @@ Name: krb5-plugins Version: 1.6.2 -Release: 1 +Release: 2 BuildRequires: bison krb5-devel ncurses-devel openldap2-devel %define srcRoot krb5-1.6.2 %define vendorFiles %{_builddir}/%{srcRoot}/vendor-files/ @@ -31,6 +31,7 @@ Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif +Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -95,6 +96,7 @@ %patch1 %patch2 %patch3 +%patch4 %patch6 %patch14 %patch15 @@ -205,6 +207,16 @@ %{_mandir}/man8/* %changelog +* Tue Aug 07 2007 - mc@suse.de +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. * Thu Jul 12 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release ++++++ krb5.spec ++++++ --- /var/tmp/diff_new_pack.q17291/_old 2007-08-09 20:00:34.000000000 +0200 +++ /var/tmp/diff_new_pack.q17291/_new 2007-08-09 20:00:34.000000000 +0200 @@ -12,7 +12,7 @@ Name: krb5 Version: 1.6.2 -Release: 1 +Release: 9 BuildRequires: bison libcom_err-devel ncurses-devel %if %{suse_version} > 1010 BuildRequires: keyutils keyutils-devel @@ -35,6 +35,7 @@ Patch1: krb5-1.5.1-fix-too-few-arguments.dif Patch2: krb5-1.6.1-compile_pie.dif Patch3: krb5-1.4-fix-segfault.dif +Patch4: krb5-1.6.2-post.dif Patch6: trunk-EncryptWithMasterKey.dif Patch14: warning-fix-lib-crypto-des.dif Patch15: warning-fix-lib-crypto-dk.dif @@ -186,6 +187,7 @@ %patch1 %patch2 %patch3 +%patch4 %patch6 %patch14 %patch15 @@ -509,6 +511,16 @@ %{_mandir}/man1/krb5-config.1* %changelog +* Tue Aug 07 2007 - mc@suse.de +- add krb5-1.6.2-post.dif + * during the referrals loop, check to see if the + session key enctype of a returned credential for the final + service is among the enctypes explicitly selected by the + application, and retry with old_use_conf_ktypes if it is not. + * If mkstemp() is available, the new ccache file gets created but + the subsequent open(O_CREAT|O_EXCL) call fails because the file + was already created by mkstemp(). Apply patch from Apple to keep + the file descriptor open. * Thu Jul 12 2007 - mc@suse.de - update to version 1.6.2 - remove krb5-1.6.1-post.dif all fixes are included in this release ++++++ krb5-1.6.2-post.dif ++++++ Index: src/lib/krb5/ccache/cc_file.c =================================================================== --- src/lib/krb5/ccache/cc_file.c (.../tags/krb5-1-6-2-final) (Revision 19755) +++ src/lib/krb5/ccache/cc_file.c (.../branches/krb5-1-6) (Revision 19755) @@ -1954,6 +1954,9 @@ char scratch[sizeof(TKT_ROOT)+6+1]; /* +6 for the scratch part, +1 for NUL */ krb5_fcc_data *data; + krb5_int16 fcc_fvno = htons(context->fcc_default_format); + krb5_int16 fcc_flen = 0; + int errsave, cnt; /* Allocate memory */ lid = (krb5_ccache) malloc(sizeof(struct _krb5_ccache)); @@ -1968,13 +1971,20 @@ ret = mkstemp(scratch); if (ret == -1) { return krb5_fcc_interpret(context, errno); - } else close(ret); + } #else /*HAVE_MKSTEMP*/ mktemp(scratch); + /* Make sure the file name is reserved */ + ret = THREEPARAMOPEN(scratch, O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); + if (ret == -1) { + return krb5_fcc_interpret(context, errno); + } #endif lid->data = (krb5_pointer) malloc(sizeof(krb5_fcc_data)); if (lid->data == NULL) { + close(ret); + unlink(scratch); krb5_xfree(lid); return KRB5_CC_NOMEM; } @@ -1982,6 +1992,8 @@ ((krb5_fcc_data *) lid->data)->filename = (char *) malloc(strlen(scratch) + 1); if (((krb5_fcc_data *) lid->data)->filename == NULL) { + close(ret); + unlink(scratch); krb5_xfree(((krb5_fcc_data *) lid->data)); krb5_xfree(lid); return KRB5_CC_NOMEM; @@ -1996,63 +2008,54 @@ data = (krb5_fcc_data *) lid->data; retcode = k5_mutex_init(&data->lock); - if (retcode) + if (retcode) { + close(ret); + unlink(scratch); goto err_out; + } /* Set up the filename */ strcpy(((krb5_fcc_data *) lid->data)->filename, scratch); - /* Make sure the file name is reserved */ - ret = THREEPARAMOPEN(((krb5_fcc_data *) lid->data)->filename, - O_CREAT | O_EXCL | O_WRONLY | O_BINARY, 0); - if (ret == -1) { - retcode = krb5_fcc_interpret(context, errno); - goto err_out; - } else { - krb5_int16 fcc_fvno = htons(context->fcc_default_format); - krb5_int16 fcc_flen = 0; - int errsave, cnt; - - /* Ignore user's umask, set mode = 0600 */ + /* Ignore user's umask, set mode = 0600 */ #ifndef HAVE_FCHMOD #ifdef HAVE_CHMOD - chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR); + chmod(((krb5_fcc_data *) lid->data)->filename, S_IRUSR | S_IWUSR); #endif #else - fchmod(ret, S_IRUSR | S_IWUSR); + fchmod(ret, S_IRUSR | S_IWUSR); #endif - if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) - != sizeof(fcc_fvno)) { - errsave = errno; - (void) close(ret); - (void) unlink(((krb5_fcc_data *) lid->data)->filename); - retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; + if ((cnt = write(ret, (char *)&fcc_fvno, sizeof(fcc_fvno))) + != sizeof(fcc_fvno)) { + errsave = errno; + (void) close(ret); + (void) unlink(((krb5_fcc_data *) lid->data)->filename); + retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; + } + /* For version 4 we save a length for the rest of the header */ + if (context->fcc_default_format == KRB5_FCC_FVNO_4) { + if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) + != sizeof(fcc_flen)) { + errsave = errno; + (void) close(ret); + (void) unlink(((krb5_fcc_data *) lid->data)->filename); + retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; + goto err_out; } - /* For version 4 we save a length for the rest of the header */ - if (context->fcc_default_format == KRB5_FCC_FVNO_4) { - if ((cnt = write(ret, (char *)&fcc_flen, sizeof(fcc_flen))) - != sizeof(fcc_flen)) { - errsave = errno; - (void) close(ret); - (void) unlink(((krb5_fcc_data *) lid->data)->filename); - retcode = (cnt == -1) ? krb5_fcc_interpret(context, errsave) : KRB5_CC_IO; - goto err_out; - } - } - if (close(ret) == -1) { - errsave = errno; - (void) unlink(((krb5_fcc_data *) lid->data)->filename); - retcode = krb5_fcc_interpret(context, errsave); - goto err_out; - } - *id = lid; - /* default to open/close on every trn - otherwise destroy - will get as to state confused */ - ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; - krb5_change_cache (); - return KRB5_OK; } + if (close(ret) == -1) { + errsave = errno; + (void) unlink(((krb5_fcc_data *) lid->data)->filename); + retcode = krb5_fcc_interpret(context, errsave); + goto err_out; + } + *id = lid; + /* default to open/close on every trn - otherwise destroy + will get as to state confused */ + ((krb5_fcc_data *) lid->data)->flags = KRB5_TC_OPENCLOSE; + krb5_change_cache (); + return KRB5_OK; err_out: krb5_xfree(((krb5_fcc_data *) lid->data)->filename); Index: src/lib/krb5/krb/gc_frm_kdc.c =================================================================== --- src/lib/krb5/krb/gc_frm_kdc.c (.../tags/krb5-1-6-2-final) (Revision 19755) +++ src/lib/krb5/krb/gc_frm_kdc.c (.../branches/krb5-1-6) (Revision 19755) @@ -906,7 +906,6 @@ /* Whether or not that succeeded, we're done. */ goto cleanup; } - else { /* Referral request succeeded; let's see what it is. */ if (krb5_principal_compare(context, in_cred->server, (*out_cred)->server)) { @@ -914,8 +913,40 @@ "for requested server principal\n")); DUMP_PRINC("gc_from_kdc final referred reply", in_cred->server); + + /* + * Check if the return enctype is one that we requested if + * needed. + */ + if (old_use_conf_ktypes || context->tgs_ktype_count == 0) goto cleanup; + for (i = 0; i < context->tgs_ktype_count; i++) { + if ((*out_cred)->keyblock.enctype == context->tgs_ktypes[i]) { + /* Found an allowable etype, so we're done */ + goto cleanup; + } } + /* + * We need to try again, but this time use the + * tgs_ktypes in the context. At this point we should + * have all the tgts to succeed. + */ + + /* Free "wrong" credential */ + krb5_free_creds(context, *out_cred); + *out_cred = NULL; + /* Re-establish tgs etypes */ + context->use_conf_ktypes = old_use_conf_ktypes; + retval = krb5_get_cred_via_tkt(context, tgtptr, + KDC_OPT_CANONICALIZE | + FLAGS2OPTS(tgtptr->ticket_flags) | + kdcopt | + (in_cred->second_ticket.length ? + KDC_OPT_ENC_TKT_IN_SKEY : 0), + tgtptr->addresses, + in_cred, out_cred); + goto cleanup; + } else if (IS_TGS_PRINC(context, (*out_cred)->server)) { krb5_data *r1, *r2; @@ -978,7 +1009,6 @@ krb5_free_creds(context, *out_cred); *out_cred = NULL; break; - } } } ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org