diff options
| author | Cy Schubert <cy@FreeBSD.org> | 2007-04-23 22:10:09 +0000 |
|---|---|---|
| committer | Cy Schubert <cy@FreeBSD.org> | 2007-04-23 22:10:09 +0000 |
| commit | 9abfecf5f8154f4958d0037dada2650adcbcc1cb (patch) | |
| tree | 9dcb5c06291e274ad4ca79670e742227c6106c46 /security/krb5-appl | |
| parent | db195b70032803db322a44436667e5e3413ff804 (diff) | |
| download | ports-9abfecf5f8154f4958d0037dada2650adcbcc1cb.tar.gz ports-9abfecf5f8154f4958d0037dada2650adcbcc1cb.zip | |
Notes
Diffstat (limited to 'security/krb5-appl')
16 files changed, 4 insertions, 950 deletions
diff --git a/security/krb5-appl/Makefile b/security/krb5-appl/Makefile index e67393cb7563..5dd2de586d95 100644 --- a/security/krb5-appl/Makefile +++ b/security/krb5-appl/Makefile @@ -6,8 +6,7 @@ # PORTNAME= krb5 -PORTVERSION= 1.6 -PORTREVISION= 2 +PORTVERSION= 1.6.1 CATEGORIES= security MASTER_SITES= http://web.mit.edu/kerberos/dist/krb5/${PORTVERSION:C/^[0-9]*\.[0-9]*/&X/:C/X\.[0-9]*$//:C/X//}/ DISTNAME= ${PORTNAME}-${PORTVERSION}-signed diff --git a/security/krb5-appl/distinfo b/security/krb5-appl/distinfo index 2cbc77bafea1..5bd89228e49b 100644 --- a/security/krb5-appl/distinfo +++ b/security/krb5-appl/distinfo @@ -1,3 +1,3 @@ -MD5 (krb5-1.6-signed.tar) = a365e39ff7d39639556c2797a0e1c3f4 -SHA256 (krb5-1.6-signed.tar) = fe3dbb53f22cde38b6bc27ed14e706d2cf4e686a0078d8ae2610283906e26ebb -SIZE (krb5-1.6-signed.tar) = 12062720 +MD5 (krb5-1.6.1-signed.tar) = 6052c437226ea0a04a37f656f1a079b9 +SHA256 (krb5-1.6.1-signed.tar) = 30a20d1b0a302486011ffba31d53bd6135e1e18b53811670e3f33b8f7ef83259 +SIZE (krb5-1.6.1-signed.tar) = 14643200 diff --git a/security/krb5-appl/files/patch-appl-telnet-telnetd-state.c b/security/krb5-appl/files/patch-appl-telnet-telnetd-state.c deleted file mode 100644 index 9a9b8f2b5d91..000000000000 --- a/security/krb5-appl/files/patch-appl-telnet-telnetd-state.c +++ /dev/null @@ -1,12 +0,0 @@ ---- appl/telnet/telnetd/state.c.orig Thu Jun 15 15:42:53 2006 -+++ appl/telnet/telnetd/state.c Wed Apr 4 14:02:18 2007 -@@ -1665,7 +1665,8 @@ - strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ - strcmp(varp, "NLSPATH") && /* locale stuff */ - strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ -- strcmp(varp, "IFS")) { -+ strcmp(varp, "IFS") && -+ !strchr(varp, '-')) { - return 1; - } else { - syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); diff --git a/security/krb5-appl/files/patch-appl-telnet-telnetd-sys_term.c b/security/krb5-appl/files/patch-appl-telnet-telnetd-sys_term.c deleted file mode 100644 index ec0cf6e41a0e..000000000000 --- a/security/krb5-appl/files/patch-appl-telnet-telnetd-sys_term.c +++ /dev/null @@ -1,40 +0,0 @@ ---- appl/telnet/telnetd/sys_term.c.orig Fri Nov 15 12:21:51 2002 -+++ appl/telnet/telnetd/sys_term.c Wed Apr 4 14:02:18 2007 -@@ -1287,6 +1287,16 @@ - #endif - #if defined (AUTHENTICATION) - if (auth_level >= 0 && autologin == AUTH_VALID) { -+ if (name[0] == '-') { -+ /* Authenticated and authorized to log in to an -+ account starting with '-'? Even if that -+ unlikely case comes to pass, the current login -+ program will not parse the resulting command -+ line properly. */ -+ syslog(LOG_ERR, "user name cannot start with '-'"); -+ fatal(net, "user name cannot start with '-'"); -+ exit(1); -+ } - # if !defined(NO_LOGIN_F) - #if defined(LOGIN_CAP_F) - argv = addarg(argv, "-F"); -@@ -1377,11 +1387,19 @@ - } else - #endif - if (getenv("USER")) { -- argv = addarg(argv, getenv("USER")); -+ char *user = getenv("USER"); -+ if (user[0] == '-') { -+ /* "telnet -l-x ..." */ -+ syslog(LOG_ERR, "user name cannot start with '-'"); -+ fatal(net, "user name cannot start with '-'"); -+ exit(1); -+ } -+ argv = addarg(argv, user); - #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) - { - register char **cpp; - for (cpp = environ; *cpp; cpp++) -+ if ((*cpp)[0] != '-') - argv = addarg(argv, *cpp); - } - #endif diff --git a/security/krb5-appl/files/patch-kadmin-server-kadm_rpc_svc.c b/security/krb5-appl/files/patch-kadmin-server-kadm_rpc_svc.c deleted file mode 100644 index 40cc158e5fe3..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-kadm_rpc_svc.c +++ /dev/null @@ -1,31 +0,0 @@ ---- kadmin/server/kadm_rpc_svc.c.orig Fri Mar 31 19:08:17 2006 -+++ kadmin/server/kadm_rpc_svc.c Wed Apr 4 13:53:04 2007 -@@ -250,6 +250,8 @@ - krb5_data *c1, *c2, *realm; - gss_buffer_desc gss_str; - kadm5_server_handle_t handle; -+ size_t slen; -+ char *sdots; - - success = 0; - handle = (kadm5_server_handle_t)global_server_handle; -@@ -274,6 +276,8 @@ - if (ret == 0) - goto fail_name; - -+ slen = gss_str.length; -+ trunc_name(&slen, &sdots); - /* - * Since we accept with GSS_C_NO_NAME, the client can authenticate - * against the entire kdb. Therefore, ensure that the service -@@ -296,8 +300,8 @@ - - fail_princ: - if (!success) { -- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", -- gss_str.length, gss_str.value); -+ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", -+ slen, gss_str.value, sdots); - } - gss_release_buffer(&min_stat, &gss_str); - krb5_free_principal(kctx, princ); diff --git a/security/krb5-appl/files/patch-kadmin-server-misc.c b/security/krb5-appl/files/patch-kadmin-server-misc.c deleted file mode 100644 index ed09a06ac7c6..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-misc.c +++ /dev/null @@ -1,15 +0,0 @@ ---- kadmin/server/misc.c.orig Sat Mar 11 14:23:28 2006 -+++ kadmin/server/misc.c Wed Apr 4 13:53:04 2007 -@@ -171,3 +171,12 @@ - - return kadm5_free_principal_ent(handle->lhandle, &princ); - } -+ -+#define MAXPRINCLEN 125 -+ -+void -+trunc_name(size_t *len, char **dots) -+{ -+ *dots = *len > MAXPRINCLEN ? "..." : ""; -+ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; -+} diff --git a/security/krb5-appl/files/patch-kadmin-server-misc.h b/security/krb5-appl/files/patch-kadmin-server-misc.h deleted file mode 100644 index bdae6f75806f..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-misc.h +++ /dev/null @@ -1,8 +0,0 @@ ---- kadmin/server/misc.h.orig Tue Oct 11 21:09:19 2005 -+++ kadmin/server/misc.h Wed Apr 4 13:53:04 2007 -@@ -45,3 +45,5 @@ - #ifdef SVC_GETARGS - void kadm_1(struct svc_req *, SVCXPRT *); - #endif -+ -+void trunc_name(size_t *len, char **dots); diff --git a/security/krb5-appl/files/patch-kadmin-server-ovsec_kadmd.c b/security/krb5-appl/files/patch-kadmin-server-ovsec_kadmd.c deleted file mode 100644 index 461aa2b0b700..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-ovsec_kadmd.c +++ /dev/null @@ -1,55 +0,0 @@ ---- kadmin/server/ovsec_kadmd.c.orig Tue Jan 9 12:21:43 2007 -+++ kadmin/server/ovsec_kadmd.c Wed Apr 4 13:53:04 2007 -@@ -992,6 +992,8 @@ - rpcproc_t proc; - int i; - const char *procname; -+ size_t clen, slen; -+ char *cdots, *sdots; - - client.length = 0; - client.value = NULL; -@@ -1000,10 +1002,20 @@ - - (void) gss_display_name(&minor, client_name, &client, &gss_type); - (void) gss_display_name(&minor, server_name, &server, &gss_type); -- if (client.value == NULL) -+ if (client.value == NULL) { - client.value = "(null)"; -- if (server.value == NULL) -+ clen = sizeof("(null)") -1; -+ } else { -+ clen = client.length; -+ } -+ trunc_name(&clen, &cdots); -+ if (server.value == NULL) { - server.value = "(null)"; -+ slen = sizeof("(null)") - 1; -+ } else { -+ slen = server.length; -+ } -+ trunc_name(&slen, &sdots); - a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); - - proc = msg->rm_call.cb_proc; -@@ -1016,14 +1028,14 @@ - } - if (procname != NULL) - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " -- "claimed client = %s, server = %s, addr = %s", -- procname, client.value, -- server.value, a); -+ "claimed client = %.*s%s, server = %.*s%s, addr = %s", -+ procname, clen, client.value, cdots, -+ slen, server.value, sdots, a); - else - krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " -- "claimed client = %s, server = %s, addr = %s", -- proc, client.value, -- server.value, a); -+ "claimed client = %.*s%s, server = %.*s%s, addr = %s", -+ proc, clen, client.value, cdots, -+ slen, server.value, sdots, a); - - (void) gss_release_buffer(&minor, &client); - (void) gss_release_buffer(&minor, &server); diff --git a/security/krb5-appl/files/patch-kadmin-server-schpw.c b/security/krb5-appl/files/patch-kadmin-server-schpw.c deleted file mode 100644 index 673d69b4e937..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-schpw.c +++ /dev/null @@ -1,26 +0,0 @@ ---- kadmin/server/schpw.c.orig Thu Apr 13 11:58:56 2006 -+++ kadmin/server/schpw.c Wed Apr 4 13:53:04 2007 -@@ -40,6 +40,8 @@ - int numresult; - char strresult[1024]; - char *clientstr; -+ size_t clen; -+ char *cdots; - - ret = 0; - rep->length = 0; -@@ -258,9 +260,12 @@ - free(ptr); - clear.length = 0; - -- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", -+ clen = strlen(clientstr); -+ trunc_name(&clen, &cdots); -+ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", - inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), -- clientstr, ret ? krb5_get_error_message (context, ret) : "success"); -+ clen, clientstr, cdots, -+ ret ? krb5_get_error_message (context, ret) : "success"); - krb5_free_unparsed_name(context, clientstr); - - if (ret) { diff --git a/security/krb5-appl/files/patch-kadmin-server-server_stubs.c b/security/krb5-appl/files/patch-kadmin-server-server_stubs.c deleted file mode 100644 index 927cd1900593..000000000000 --- a/security/krb5-appl/files/patch-kadmin-server-server_stubs.c +++ /dev/null @@ -1,608 +0,0 @@ ---- kadmin/server/server_stubs.c.orig Thu Apr 13 11:58:56 2006 -+++ kadmin/server/server_stubs.c Wed Apr 4 13:53:04 2007 -@@ -14,6 +14,7 @@ - #include <arpa/inet.h> /* inet_ntoa */ - #include <adm_proto.h> /* krb5_klog_syslog */ - #include "misc.h" -+#include <string.h> - - #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" - #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" -@@ -237,6 +238,61 @@ - return 0; - } - -+static int -+log_unauth( -+ char *op, -+ char *target, -+ gss_buffer_t client, -+ gss_buffer_t server, -+ struct svc_req *rqstp) -+{ -+ size_t tlen, clen, slen; -+ char *tdots, *cdots, *sdots; -+ -+ tlen = strlen(target); -+ trunc_name(&tlen, &tdots); -+ clen = client->length; -+ trunc_name(&clen, &cdots); -+ slen = server->length; -+ trunc_name(&slen, &sdots); -+ -+ return krb5_klog_syslog(LOG_NOTICE, -+ "Unauthorized request: %s, %.*s%s, " -+ "client=%.*s%s, service=%.*s%s, addr=%s", -+ op, tlen, target, tdots, -+ clen, client->value, cdots, -+ slen, server->value, sdots, -+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+} -+ -+static int -+log_done( -+ char *op, -+ char *target, -+ char *errmsg, -+ gss_buffer_t client, -+ gss_buffer_t server, -+ struct svc_req *rqstp) -+{ -+ size_t tlen, clen, slen; -+ char *tdots, *cdots, *sdots; -+ -+ tlen = strlen(target); -+ trunc_name(&tlen, &tdots); -+ clen = client->length; -+ trunc_name(&clen, &cdots); -+ slen = server->length; -+ trunc_name(&slen, &sdots); -+ -+ return krb5_klog_syslog(LOG_NOTICE, -+ "Request: %s, %.*s%s, %s, " -+ "client=%.*s%s, service=%.*s%s, addr=%s", -+ op, tlen, target, tdots, errmsg, -+ clen, client->value, cdots, -+ slen, server->value, sdots, -+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+} -+ - generic_ret * - create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) - { -@@ -275,9 +331,8 @@ - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_create_principal", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_create_principal((void *)handle, - &arg->rec, arg->mask, -@@ -287,10 +342,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_create_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -@@ -341,9 +394,8 @@ - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_ADD; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_create_principal", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_create_principal_3((void *)handle, - &arg->rec, arg->mask, -@@ -355,10 +407,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_create_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -@@ -406,9 +456,8 @@ - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { - ret.code = KADM5_AUTH_DELETE; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_delete_principal", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_delete_principal((void *)handle, arg->princ); - if( ret.code == 0 ) -@@ -416,10 +465,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_delete_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -@@ -469,9 +516,8 @@ - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { - ret.code = KADM5_AUTH_MODIFY; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_modify_principal", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_modify_principal((void *)handle, &arg->rec, - arg->mask); -@@ -480,10 +526,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_modify_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ - } -@@ -546,9 +590,8 @@ - } else - ret.code = KADM5_AUTH_INSUFFICIENT; - if (ret.code != KADM5_OK) { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_rename_principal", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_rename_principal((void *)handle, arg->src, - arg->dest); -@@ -557,10 +600,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_rename_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg1); -@@ -614,9 +655,8 @@ - arg->princ, - NULL))) { - ret.code = KADM5_AUTH_GET; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth(funcname, prime_arg, -+ &client_name, &service_name, rqstp); - } else { - if (handle->api_version == KADM5_API_VERSION_1) { - ret.code = kadm5_get_principal_v1((void *)handle, -@@ -636,11 +676,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -- prime_arg, -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done(funcname, prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - } - free_server_handle(handle); -@@ -688,9 +725,8 @@ - NULL, - NULL)) { - ret.code = KADM5_AUTH_LIST; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_get_principals", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_get_principals((void *)handle, - arg->exp, &ret.princs, -@@ -700,11 +736,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", -- prime_arg, -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_get_principals", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - - } - free_server_handle(handle); -@@ -755,9 +788,8 @@ - ret.code = kadm5_chpass_principal((void *)handle, arg->princ, - arg->pass); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_chpass_principal", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -@@ -767,10 +799,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_chpass_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -@@ -828,9 +858,8 @@ - arg->ks_tuple, - arg->pass); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_chpass_principal", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -@@ -840,10 +869,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_chpass_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -@@ -892,9 +919,8 @@ - ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, - arg->keyblock); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_setv4key_principal", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -@@ -904,10 +930,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_setv4key_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -@@ -956,9 +980,8 @@ - ret.code = kadm5_setkey_principal((void *)handle, arg->princ, - arg->keyblocks, arg->n_keys); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_setkey_principal", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -@@ -968,10 +991,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_setkey_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -@@ -1023,9 +1044,8 @@ - arg->ks_tuple, - arg->keyblocks, arg->n_keys); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_setkey_principal", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_SETKEY; - } - -@@ -1035,10 +1055,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_setkey_principal", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - - free_server_handle(handle); -@@ -1097,9 +1115,8 @@ - ret.code = kadm5_randkey_principal((void *)handle, arg->princ, - &k, &nkeys); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth(funcname, prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -@@ -1119,10 +1136,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done(funcname, prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg); -@@ -1185,9 +1200,8 @@ - arg->ks_tuple, - &k, &nkeys); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth(funcname, prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_CHANGEPW; - } - -@@ -1207,10 +1221,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -- prime_arg, errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done(funcname, prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - free(prime_arg); -@@ -1253,10 +1265,9 @@ - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { - ret.code = KADM5_AUTH_ADD; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -- -+ log_unauth("kadm5_create_policy", prime_arg, -+ &client_name, &service_name, rqstp); -+ - } else { - ret.code = kadm5_create_policy((void *)handle, &arg->rec, - arg->mask); -@@ -1265,11 +1276,9 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", -- ((prime_arg == NULL) ? "(null)" : prime_arg), -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_create_policy", -+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1310,9 +1319,8 @@ - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_delete_policy", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_DELETE; - } else { - ret.code = kadm5_delete_policy((void *)handle, arg->name); -@@ -1321,11 +1329,9 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", -- ((prime_arg == NULL) ? "(null)" : prime_arg), -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_delete_policy", -+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1366,9 +1372,8 @@ - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_modify_policy", prime_arg, -+ &client_name, &service_name, rqstp); - ret.code = KADM5_AUTH_MODIFY; - } else { - ret.code = kadm5_modify_policy((void *)handle, &arg->rec, -@@ -1378,11 +1383,9 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", -- ((prime_arg == NULL) ? "(null)" : prime_arg), -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_modify_policy", -+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1464,15 +1467,12 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, -- ((prime_arg == NULL) ? "(null)" : prime_arg), -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done(funcname, -+ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, -+ &client_name, &service_name, rqstp); - } else { -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth(funcname, prime_arg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1517,9 +1517,8 @@ - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { - ret.code = KADM5_AUTH_LIST; -- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", -- prime_arg, client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_unauth("kadm5_get_policies", prime_arg, -+ &client_name, &service_name, rqstp); - } else { - ret.code = kadm5_get_policies((void *)handle, - arg->exp, &ret.pols, -@@ -1529,11 +1528,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", -- prime_arg, -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_get_policies", prime_arg, errmsg, -+ &client_name, &service_name, rqstp); - } - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1573,11 +1569,8 @@ - else - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); - -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", -- client_name.value, -- errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); -+ log_done("kadm5_get_privs", client_name.value, errmsg, -+ &client_name, &service_name, rqstp); - - free_server_handle(handle); - gss_release_buffer(&minor_stat, &client_name); -@@ -1594,6 +1587,8 @@ - kadm5_server_handle_t handle; - OM_uint32 minor_stat; - char *errmsg = 0; -+ size_t clen, slen; -+ char *cdots, *sdots; - - xdr_free(xdr_generic_ret, &ret); - -@@ -1612,14 +1607,22 @@ - - if (ret.code != 0) - errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); -- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", -- (ret.api_version == KADM5_API_VERSION_1 ? -- "kadm5_init (V1)" : "kadm5_init"), -- client_name.value, -- (ret.code == 0) ? "success" : errmsg, -- client_name.value, service_name.value, -- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), -- rqstp->rq_cred.oa_flavor); -+ else -+ errmsg = "success"; -+ -+ clen = client_name.length; -+ trunc_name(&clen, &cdots); -+ slen = service_name.length; -+ trunc_name(&slen, &sdots); -+ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " -+ "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", -+ (ret.api_version == KADM5_API_VERSION_1 ? -+ "kadm5_init (V1)" : "kadm5_init"), -+ clen, client_name.value, cdots, errmsg, -+ clen, client_name.value, cdots, -+ slen, service_name.value, sdots, -+ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), -+ rqstp->rq_cred.oa_flavor); - gss_release_buffer(&minor_stat, &client_name); - gss_release_buffer(&minor_stat, &service_name); - diff --git a/security/krb5-appl/files/patch-kdc-do_tgs_req.c b/security/krb5-appl/files/patch-kdc-do_tgs_req.c deleted file mode 100644 index d6cfa2133209..000000000000 --- a/security/krb5-appl/files/patch-kdc-do_tgs_req.c +++ /dev/null @@ -1,65 +0,0 @@ ---- kdc/do_tgs_req.c.orig Fri Oct 13 14:08:07 2006 -+++ kdc/do_tgs_req.c Wed Apr 4 13:53:04 2007 -@@ -491,28 +491,38 @@ - newtransited = 1; - } - if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { -+ unsigned int tlen; -+ char *tdots; -+ - errcode = krb5_check_transited_list (kdc_context, - &enc_tkt_reply.transited.tr_contents, - krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), - krb5_princ_realm (kdc_context, request->server)); -+ tlen = enc_tkt_reply.transited.tr_contents.length; -+ tdots = tlen > 125 ? "..." : ""; -+ tlen = tlen > 125 ? 125 : tlen; -+ - if (errcode == 0) { - setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); - } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) - krb5_klog_syslog (LOG_INFO, -- "bad realm transit path from '%s' to '%s' via '%.*s'", -+ "bad realm transit path from '%s' to '%s' " -+ "via '%.*s%s'", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -- enc_tkt_reply.transited.tr_contents.length, -- enc_tkt_reply.transited.tr_contents.data); -+ tlen, -+ enc_tkt_reply.transited.tr_contents.data, -+ tdots); - else { - const char *emsg = krb5_get_error_message(kdc_context, errcode); - krb5_klog_syslog (LOG_ERR, -- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", -+ "unexpected error checking transit from " -+ "'%s' to '%s' via '%.*s%s': %s", - cname ? cname : "<unknown client>", - sname ? sname : "<unknown server>", -- enc_tkt_reply.transited.tr_contents.length, -+ tlen, - enc_tkt_reply.transited.tr_contents.data, -- emsg); -+ tdots, emsg); - krb5_free_error_message(kdc_context, emsg); - } - } else -@@ -542,6 +552,9 @@ - if (!krb5_principal_compare(kdc_context, request->server, client2)) { - if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) - tmp = 0; -+ if (tmp != NULL) -+ limit_string(tmp); -+ - krb5_klog_syslog(LOG_INFO, - "TGS_REQ %s: 2ND_TKT_MISMATCH: " - "authtime %d, %s for %s, 2nd tkt client %s", -@@ -816,6 +829,7 @@ - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing alternate <un-unparseable> TGT"); - } else { -+ limit_string(sname); - krb5_klog_syslog(LOG_INFO, - "TGS_REQ: issuing TGT %s", sname); - free(sname); diff --git a/security/krb5-appl/files/patch-kdc-kdc_util.c b/security/krb5-appl/files/patch-kdc-kdc_util.c deleted file mode 100644 index 7ace820c79c0..000000000000 --- a/security/krb5-appl/files/patch-kdc-kdc_util.c +++ /dev/null @@ -1,10 +0,0 @@ ---- kdc/kdc_util.c.orig Wed Oct 11 17:33:12 2006 -+++ kdc/kdc_util.c Wed Apr 4 13:53:04 2007 -@@ -404,6 +404,7 @@ - - krb5_db_free_principal(kdc_context, &server, nprincs); - if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { -+ limit_string(sname); - krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", - sname); - free(sname); diff --git a/security/krb5-appl/files/patch-lib-gssapi-krb5-k5unseal.c b/security/krb5-appl/files/patch-lib-gssapi-krb5-k5unseal.c deleted file mode 100644 index 38ae5df836f9..000000000000 --- a/security/krb5-appl/files/patch-lib-gssapi-krb5-k5unseal.c +++ /dev/null @@ -1,15 +0,0 @@ ---- lib/gssapi/krb5/k5unseal.c.orig Tue May 9 04:31:02 2006 -+++ lib/gssapi/krb5/k5unseal.c Tue Apr 3 18:28:48 2007 -@@ -457,8 +457,11 @@ - - if ((ctx->initiate && direction != 0xff) || - (!ctx->initiate && direction != 0)) { -- if (toktype == KG_TOK_SEAL_MSG) -+ if (toktype == KG_TOK_SEAL_MSG) { - xfree(token.value); -+ message_buffer->value = NULL; -+ message_buffer->length = 0; -+ } - *minor_status = G_BAD_DIRECTION; - return(GSS_S_BAD_SIG); - } diff --git a/security/krb5-appl/files/patch-lib-kadm5-logger.c b/security/krb5-appl/files/patch-lib-kadm5-logger.c deleted file mode 100644 index f553a359e4a2..000000000000 --- a/security/krb5-appl/files/patch-lib-kadm5-logger.c +++ /dev/null @@ -1,33 +0,0 @@ ---- lib/kadm5/logger.c.orig Mon Jun 19 16:33:36 2006 -+++ lib/kadm5/logger.c Wed Apr 4 13:53:04 2007 -@@ -45,7 +45,7 @@ - #include <varargs.h> - #endif /* HAVE_STDARG_H */ - --#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 -+#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 - #ifndef MAXHOSTNAMELEN - #define MAXHOSTNAMELEN 256 - #endif /* MAXHOSTNAMELEN */ -@@ -261,7 +261,9 @@ - #endif /* HAVE_SYSLOG */ - - /* Now format the actual message */ --#if HAVE_VSPRINTF -+#if HAVE_VSNPRINTF -+ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); -+#elif HAVE_VSPRINTF - vsprintf(cp, actual_format, ap); - #else /* HAVE_VSPRINTF */ - sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], -@@ -850,7 +852,9 @@ - syslogp = &outbuf[strlen(outbuf)]; - - /* Now format the actual message */ --#ifdef HAVE_VSPRINTF -+#ifdef HAVE_VSNPRINTF -+ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); -+#elif HAVE_VSPRINTF - vsprintf(syslogp, format, arglist); - #else /* HAVE_VSPRINTF */ - sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], diff --git a/security/krb5-appl/files/patch-lib::krb5::os::hst_realm.c b/security/krb5-appl/files/patch-lib::krb5::os::hst_realm.c deleted file mode 100644 index d3caed59fd30..000000000000 --- a/security/krb5-appl/files/patch-lib::krb5::os::hst_realm.c +++ /dev/null @@ -1,14 +0,0 @@ ---- lib/krb5/os/hst_realm.c.orig Tue Oct 15 15:51:50 2002 -+++ lib/krb5/os/hst_realm.c Sat Jan 24 20:11:05 2004 -@@ -438,9 +438,11 @@ - return EAFNOSUPPORT; - case EAI_MEMORY: - return ENOMEM; -+#ifdef EAI_NODATA - #if EAI_NODATA != EAI_NONAME - case EAI_NODATA: - return KRB5_EAI_NODATA; -+#endif - #endif - case EAI_NONAME: - return KRB5_EAI_NONAME; diff --git a/security/krb5-appl/files/patch-lib::krb5::os::locate_kdc.c b/security/krb5-appl/files/patch-lib::krb5::os::locate_kdc.c deleted file mode 100644 index 5cfbbe3553de..000000000000 --- a/security/krb5-appl/files/patch-lib::krb5::os::locate_kdc.c +++ /dev/null @@ -1,13 +0,0 @@ ---- lib/krb5/os/locate_kdc.c.orig Mon Jun 9 14:27:56 2003 -+++ lib/krb5/os/locate_kdc.c Sun Jan 25 13:28:01 2004 -@@ -185,8 +185,10 @@ - #ifdef EAI_ADDRFAMILY - case EAI_ADDRFAMILY: - #endif -+#ifdef EAI_NODATA - #if EAI_NODATA != EAI_NONAME - case EAI_NODATA: -+#endif - #endif - case EAI_NONAME: - /* Name not known or no address data, but no error. Do |