diff options
| author |   Eray Aslan <eras@gentoo.org> | 2010-11-05 21:34:12 +0000 |
|---|---|---|
| committer | Eray Aslan <eras@gentoo.org> | 2010-11-05 21:34:12 +0000 |
| commit | ec6b8b79be8abb6d5c055da707ef044adcd7aa7c (patch) | |
| tree | f3d4c0eab927c68a3550a4a716d479f82cb0b944 /app-crypt | |
| parent | Fixed luasocket dependency. (diff) | |
| download | historical-ec6b8b79be8abb6d5c055da707ef044adcd7aa7c.tar.gz historical-ec6b8b79be8abb6d5c055da707ef044adcd7aa7c.tar.bz2 historical-ec6b8b79be8abb6d5c055da707ef044adcd7aa7c.zip | |
Remove old patches - bug #340195
Package-Manager: portage-2.1.9.24/cvs/Linux x86_64
Diffstat (limited to 'app-crypt')
| -rw-r--r-- | app-crypt/mit-krb5/ChangeLog | 10 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/Manifest | 11 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/1.6-CVE-2009-4212.patch | 268 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/1.6-MITKRB5-SA-2008-001.patch | 331 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/1.7-CVE-2009-4212.patch | 377 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch | 48 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2009-0846.patch | 40 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2010-1320.patch | 20 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/CVE-2010-1321.patch | 18 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/MITKRB5-SA-2008-002.patch | 71 | ||||
| -rw-r--r-- | app-crypt/mit-krb5/files/mit-krb5-lazyldflags.patch | 19 |
11 files changed, 10 insertions, 1203 deletions
diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 2232cba69d67..ad15be46ed6a 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,14 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.232 2010/11/05 21:13:42 eras Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.233 2010/11/05 21:34:12 eras Exp $ + + 05 Nov 2010; Eray Aslan <eras@gentoo.org> + -files/1.6-MITKRB5-SA-2008-001.patch, -files/MITKRB5-SA-2008-002.patch, + -files/CVE-2009-0844+CVE-2009-0847.patch, + -files/mit-krb5-lazyldflags.patch, -files/CVE-2009-0846.patch, + -files/1.6-CVE-2009-4212.patch, -files/1.7-CVE-2009-4212.patch, + -files/CVE-2010-1320.patch, -files/CVE-2010-1321.patch: + Remove old patches - bug #340195 *mit-krb5-1.8.3-r1 (05 Nov 2010) diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index b6eaed38a3a2..d82a1ffda7bd 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,14 +1,5 @@ -AUX 1.6-CVE-2009-4212.patch 9565 RMD160 b7c67745305d80a70d8c1247a8448df3175a69c2 SHA1 5c18a4a4fc2a6289b3d52683c7eef7824168899e SHA256 c3b36f5ddc0fb7451055908781dfea3b43c6953032936883d5f5c0a8d7d98c53 -AUX 1.6-MITKRB5-SA-2008-001.patch 11080 RMD160 12415f2329536352cd4d4aaa340951771b1e5114 SHA1 0cc2549ab6fd44180b3cdf4327efeaa6fe43b6e2 SHA256 0af6931dd33d9a2622714de3e06e68dde0d6e9215d9b08c478a441ce7fb6d7a6 -AUX 1.7-CVE-2009-4212.patch 13085 RMD160 98b9d7adab15a198cf6380458e9960e41385f2f9 SHA1 627c85e8764717248d5d86f70a1eb1a649035ef9 SHA256 c64a28f4fc9c7db2f0f98efea401b6e36d196f90d20f435b19c60259c348693b -AUX CVE-2009-0844+CVE-2009-0847.patch 2075 RMD160 eba543da0eafa13158a71947bf22783292d23951 SHA1 087e0dfcdff3dd08b9085fda47099c438871488d SHA256 abdff5ffb07b57d6156722ea6ee12a73ae3337ff05687e384a59989074ab4316 -AUX CVE-2009-0846.patch 1682 RMD160 80292c97735b2e45eb450d2c8f6c30e6b0dbf199 SHA1 4bde9e943f4604bfde41cb91f923c123716add71 SHA256 71914affe6f8623b44f3b8ac9c98a83783e41200f8965ea5d68e7fb8a4bc3088 -AUX CVE-2010-1320.patch 701 RMD160 f5ebcbf5a5cb872644aa3d7f28bea0de2e4cc281 SHA1 775ae45e20b67d1de7f2a21c52afbfbaacdae5a1 SHA256 251757cc449ba11f0147febc1b69e8aee37ec6c200a25c08e9a9eac02cdb3c60 -AUX CVE-2010-1321.patch 670 RMD160 941777d0914ae3363eae2be9d62a09e00e074c7e SHA1 fc85fead1fcbd3a8c0f867084a934c97abfc3f31 SHA256 02d778775bf3f7576f5cf7a9a1a3d14ccf1654b71c77a6a4e00a7bd5b775b221 AUX CVE-2010-1322.patch 1066 RMD160 fc262a23e9aa118262a4258f74832445062444e4 SHA1 600f0890de65f96112f267b56317a4fd0166cba0 SHA256 7d9fbfffdaa0cde0ca499ccbb2cf09a6c7253e537755bbf6da9e08715fd9a474 -AUX MITKRB5-SA-2008-002.patch 1505 RMD160 35bb24ae802b532836810588e13c775ef8522cc1 SHA1 70fb0d83da33eb3e00355a11894c37f7c9d2b9aa SHA256 8e84a55080461f117f61501550c364f9ac25d9079601281a0d413bff664fc386 AUX kpropd.xinetd 194 RMD160 5772b04bf7f6b8a5588331a4d9dca03738756f15 SHA1 a9c84a4197ba133144e754d68847cece6203ed4a SHA256 eaa3838a6ca8db901db359cac3435d4f703a9a10534f02eeb37f494dd21a1736 -AUX mit-krb5-lazyldflags.patch 509 RMD160 47515882e93e0db7db6980a4460a01f2cbc3f382 SHA1 db880ff82bd72afd2815a8e8d345c815c2769715 SHA256 272b3a18303b43c64bbcc1da9bcb7cd60d56337700d84c78741c7096c18044d5 AUX mit-krb5kadmind.initd 687 RMD160 7602d12d570e80edf24953befbe4ec03d247e4ba SHA1 753a5875659d3bef63c1a50bb0228f1c3c06bdf9 SHA256 427953b3a2dbe0a8f85bee1294a348c97dbbdac4741f06c2a3768170ba29161a AUX mit-krb5kdc.initd 656 RMD160 8c4c508273f9d715ac0e0a8d9c54e36f63526b9b SHA1 62017fc3a2f5adbd6e0c1421041593a268a6252d SHA256 d813dbf3ee89f0da6b73455fd8759898223529c4cf7c1c2ec64a3128363194e2 DIST krb5-1.8.2-signed.tar 11642880 RMD160 025f150e166b36067fbcc057662043f3b375ce16 SHA1 571fc8bf5ba67bcaf5299aab0472fc6048268b12 SHA256 c611fcf12314d6823d29c6e9a8709b24df971ee648c204eb7e003be068c5c5ad @@ -17,5 +8,5 @@ EBUILD mit-krb5-1.8.2-r1.ebuild 2656 RMD160 2186e283e67026407fe5ffd8dc0f958b34d5 EBUILD mit-krb5-1.8.2.ebuild 2620 RMD160 353bc593ab0102c66c5846f74518ca7f0e2e7bd3 SHA1 c5f1b36275144a8f05a159e88349ed2088633ddd SHA256 b6c78e35e5a2d9af8ab389e95109f27de13e83cc11d189a876946353cd271aca EBUILD mit-krb5-1.8.3-r1.ebuild 2725 RMD160 d5bb423af29584ec56eacea512278baa4145d3ba SHA1 82c240289e41571df6a9c4600e45516476a563b3 SHA256 5fa2daa2520ca72629b91d1abf0e503abe888055dc077efdbc47fdb4ccb64834 EBUILD mit-krb5-1.8.3.ebuild 2651 RMD160 02d4089a4aa765a5455addfb4ee2a06e1ce6cfbf SHA1 571463eb2a864b9136df558e0c17abf1a650be29 SHA256 59d054e2a7021b6c2e0483aac6953627ccd483669712d907fbe6d05ffc8eae97 -MISC ChangeLog 37519 RMD160 9f8f4060666aae7a600b3aaa121b78743bafc326 SHA1 14e1915581f97aeca081d15cc9af2f77262031b6 SHA256 26197b09dffc9f3b7d95dec13b2cd25a6888b024e475628308b4999a9cb06bdb +MISC ChangeLog 37906 RMD160 9d2f18c1807c9253d0520d3bf41abcc3692110e2 SHA1 8156bd69766a884053a94fdde067876f69d9a6c2 SHA256 ff32d369dc14339d20e3aebbbc2a5e3f8be71b6740af8e6f7c1b3658e5a7b159 MISC metadata.xml 438 RMD160 8ef6cc46c5529d18bd51d1e722f9f9329f3dcd78 SHA1 1b389e98fb724f1f6570fd7faac77f1909b24cae SHA256 441b7ccce3158497456485cefd03da127abec4322332932fff96875619df0d5b diff --git a/app-crypt/mit-krb5/files/1.6-CVE-2009-4212.patch b/app-crypt/mit-krb5/files/1.6-CVE-2009-4212.patch deleted file mode 100644 index 7ed2e9967e2d..000000000000 --- a/app-crypt/mit-krb5/files/1.6-CVE-2009-4212.patch +++ /dev/null @@ -1,268 +0,0 @@ -Index: src/lib/crypto/Makefile.in -=================================================================== ---- src/lib/crypto/Makefile.in (revision 23398) -+++ src/lib/crypto/Makefile.in (working copy) -@@ -22,6 +22,7 @@ - $(srcdir)/t_hmac.c \ - $(srcdir)/t_pkcs5.c \ - $(srcdir)/t_cts.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/vectors.c - - ##DOSBUILDTOP = ..\.. -@@ -184,12 +185,13 @@ - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ - diff t_prng.output $(srcdir)/t_prng.expected - $(RUN_SETUP) $(VALGRIND) ./t_hmac -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 - -@@ -218,10 +220,14 @@ - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -@@ -761,6 +767,15 @@ - $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ - $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ - $(srcdir)/hash_provider/hash_provider.h t_cts.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - vectors.so vectors.po $(OUTPRE)vectors.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-err.h \ -Index: src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- src/lib/crypto/arcfour/arcfour.c (revision 23398) -+++ src/lib/crypto/arcfour/arcfour.c (working copy) -@@ -203,6 +203,12 @@ - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: src/lib/crypto/enc_provider/aes.c -=================================================================== ---- src/lib/crypto/enc_provider/aes.c (revision 23398) -+++ src/lib/crypto/enc_provider/aes.c (working copy) -@@ -94,9 +94,11 @@ - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -149,9 +151,9 @@ - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -Index: src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- src/lib/crypto/dk/dk_decrypt.c (revision 23398) -+++ src/lib/crypto/dk/dk_decrypt.c (working copy) -@@ -89,6 +89,12 @@ - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) -Index: src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- src/lib/crypto/raw/raw_decrypt.c (revision 23398) -+++ src/lib/crypto/raw/raw_decrypt.c (working copy) -@@ -34,5 +34,7 @@ - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; - return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: src/lib/crypto/t_short.c -=================================================================== ---- src/lib/crypto/t_short.c (revision 0) -+++ src/lib/crypto/t_short.c (revision 0) -@@ -0,0 +1,112 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -Index: src/lib/crypto/old/old_decrypt.c -=================================================================== ---- src/lib/crypto/old/old_decrypt.c (revision 23398) -+++ src/lib/crypto/old/old_decrypt.c (working copy) -@@ -45,8 +45,10 @@ - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - diff --git a/app-crypt/mit-krb5/files/1.6-MITKRB5-SA-2008-001.patch b/app-crypt/mit-krb5/files/1.6-MITKRB5-SA-2008-001.patch deleted file mode 100644 index cd352884b1c9..000000000000 --- a/app-crypt/mit-krb5/files/1.6-MITKRB5-SA-2008-001.patch +++ /dev/null @@ -1,331 +0,0 @@ ---- src/kdc/dispatch.c (revision 20192) -+++ src/kdc/dispatch.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/dispatch.c - * -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -107,7 +107,7 @@ - retval = KRB5KRB_AP_ERR_MSG_TYPE; - #ifndef NOCACHE - /* put the response into the lookaside buffer */ -- if (!retval) -+ if (!retval && *response != NULL) - kdc_insert_lookaside(pkt, *response); - #endif - ---- src/kdc/kerberos_v4.c (revision 20192) -+++ src/kdc/kerberos_v4.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/kerberos_v4.c - * -- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute -+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * -@@ -87,11 +87,6 @@ - #define MSB_FIRST 0 /* 68000, IBM RT/PC */ - #define LSB_FIRST 1 /* Vax, PC8086 */ - --int f; -- --/* XXX several files in libkdb know about this */ --char *progname; -- - #ifndef BACKWARD_COMPAT - static Key_schedule master_key_schedule; - static C_Block master_key; -@@ -143,10 +138,8 @@ - #include "com_err.h" - #include "extern.h" /* to pick up master_princ */ - --static krb5_data *response; -- --void kerberos_v4 (struct sockaddr_in *, KTEXT); --void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); -+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); - static int set_tgtkey (char *, krb5_kvno, krb5_boolean); - - /* Attributes converted from V5 to V4 - internal representation */ -@@ -262,12 +255,12 @@ - (void) klog(L_KRB_PERR, "V4 request too long."); - return KRB5KRB_ERR_FIELD_TOOLONG; - } -+ memset( &v4_pkt, 0, sizeof(v4_pkt)); - v4_pkt.length = pkt->length; - v4_pkt.mbz = 0; - memcpy( v4_pkt.dat, pkt->data, pkt->length); - -- kerberos_v4( &client_sockaddr, &v4_pkt); -- *resp = response; -+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); - return(retval); - } - -@@ -300,19 +293,20 @@ - } - - static --int krb4_sendto(int s, const char *msg, int len, int flags, -- const struct sockaddr *to, int to_len) -+krb5_data *make_response(const char *msg, int len) - { -+ krb5_data *response; -+ - if ( !(response = (krb5_data *) malloc( sizeof *response))) { -- return ENOMEM; -+ return 0; - } - if ( !(response->data = (char *) malloc( len))) { - krb5_free_data(kdc_context, response); -- return ENOMEM; -+ return 0; - } - response->length = len; - memcpy( response->data, msg, len); -- return( 0); -+ return response; - } - static void - hang(void) -@@ -586,7 +580,7 @@ - *cp = 0; - } - --void -+static krb5_data * - kerberos_v4(struct sockaddr_in *client, KTEXT pkt) - { - static KTEXT_ST rpkt_st; -@@ -599,8 +593,8 @@ - KTEXT auth = &auth_st; - AUTH_DAT ad_st; - AUTH_DAT *ad = &ad_st; -+ krb5_data *response = 0; - -- - static struct in_addr client_host; - static int msg_byte_order; - static int swap_bytes; -@@ -637,8 +631,7 @@ - inet_ntoa(client_host)); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - - /* check packet version */ -@@ -648,8 +641,7 @@ - KRB_PROT_VERSION, req_version, 0); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - msg_byte_order = req_msg_type & 1; - -@@ -707,10 +699,10 @@ - - if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, - &a_name_data, &k5key, 0, &ck5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_low = a_name_data.key_high = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* don't use k5key for client */ - krb5_free_keyblock_contents(kdc_context, &k5key); -@@ -722,11 +714,11 @@ - /* this does all the checking */ - if ((i = check_princ(service, instance, lifetime, - &s_name_data, &k5key, 1, &sk5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_high = a_name_data.key_low = 0; - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); -@@ -797,8 +789,7 @@ - rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, - req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, - a_name_data.key_version, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&a_name_data, 0, sizeof(a_name_data)); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; -@@ -824,9 +815,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with realm length too long from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "realm length too long"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "realm length too long"); - } - - auth->length += (int) *(pkt->dat + auth->length) + -@@ -835,9 +825,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with funky tkt or req_id length from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "funky tkt or req_id length"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "funky tkt or req_id length"); - } - - memcpy(auth->dat, pkt->dat, auth->length); -@@ -848,18 +837,16 @@ - if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { - lt = klog(L_ERR_UNK, - "Cross realm ticket from %s denied by policy,", tktrlm); -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - if (set_tgtkey(tktrlm, kvno, 0)) { -- lt = klog(L_ERR_UNK, -+ lt = klog(L_ERR_UNK, - "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -869,9 +856,8 @@ - "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -881,8 +867,7 @@ - klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", - inet_ntoa(client_host), krb_get_err_text(kerno)); - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); -- return; -+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - } - ptr = (char *) pkt->dat + auth->length; - -@@ -904,22 +889,21 @@ - req_realm_ptr = ad->prealm; - - if (strcmp(ad->prealm, tktrlm)) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't hop realms"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't hop realms"); - } - if (!strcmp(service, "changepw")) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't authorize password changed based on TGT"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't authorize password changed based on TGT"); - } - kerno = check_princ(service, instance, req_life, - &s_name_data, &k5key, 1, &sk5life); - if (kerno) { -- kerb_err_reply(client, pkt, kerno, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, kerno, -+ "check_princ failed"); - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); -@@ -975,8 +959,7 @@ - rpkt = create_auth_reply(ad->pname, ad->pinst, - ad->prealm, time_ws, - 0, 0, 0, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; - } -@@ -1001,6 +984,7 @@ - break; - } - } -+ return response; - } - - -@@ -1010,7 +994,7 @@ - * client. - */ - --void -+static krb5_data * - kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) - { - static KTEXT_ST e_pkt_st; -@@ -1021,9 +1005,7 @@ - strncat(e_msg, string, sizeof(e_msg) - 1 - 19); - cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, - req_time_ws, err, e_msg); -- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -- -+ return make_response((char *) e_pkt->dat, e_pkt->length); - } - - static int ---- src/kdc/network.c (revision 20192) -+++ src/kdc/network.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/network.c - * -- * Copyright 1990,2000 by the Massachusetts Institute of Technology. -+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -747,6 +747,8 @@ - com_err(prog, retval, "while dispatching (udp)"); - return; - } -+ if (response == NULL) -+ return; - cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len); - if (cc == -1) { diff --git a/app-crypt/mit-krb5/files/1.7-CVE-2009-4212.patch b/app-crypt/mit-krb5/files/1.7-CVE-2009-4212.patch deleted file mode 100644 index df2edcade240..000000000000 --- a/app-crypt/mit-krb5/files/1.7-CVE-2009-4212.patch +++ /dev/null @@ -1,377 +0,0 @@ -Index: src/lib/crypto/Makefile.in -=================================================================== ---- src/lib/crypto/Makefile.in (revision 23398) -+++ src/lib/crypto/Makefile.in (working copy) -@@ -18,6 +18,7 @@ - $(srcdir)/t_nfold.c \ - $(srcdir)/t_cf2.c \ - $(srcdir)/t_encrypt.c \ -+ $(srcdir)/t_short.c \ - $(srcdir)/t_prf.c \ - $(srcdir)/t_prng.c \ - $(srcdir)/t_hmac.c \ -@@ -206,7 +207,7 @@ - - clean-unix:: clean-liblinks clean-libs clean-libobjs - --check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 -+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short - $(RUN_SETUP) $(VALGRIND) ./t_nfold - $(RUN_SETUP) $(VALGRIND) ./t_encrypt - $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ -@@ -216,6 +217,7 @@ - diff t_prf.output $(srcdir)/t_prf.expected - $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output - diff t_cf2.output $(srcdir)/t_cf2.expected -+ $(RUN_SETUP) $(VALGRIND) ./t_short - - - # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 -@@ -249,10 +251,15 @@ - $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ - $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) -+ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ -+ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) - -+ - clean:: - $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ -- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o -+ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ -+ t_cf2 t_cf2.o t_short t_short.o - -$(RM) t_prng.output - - all-windows:: -Index: src/lib/crypto/arcfour/arcfour.c -=================================================================== ---- src/lib/crypto/arcfour/arcfour.c (revision 23398) -+++ src/lib/crypto/arcfour/arcfour.c (working copy) -@@ -199,6 +199,12 @@ - keylength = enc->keylength; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < hashsize + CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) -+ return KRB5_BAD_MSIZE; -+ - d1.length=keybytes; - d1.data=malloc(d1.length); - if (d1.data == NULL) -Index: src/lib/crypto/enc_provider/aes.c -=================================================================== ---- src/lib/crypto/enc_provider/aes.c (revision 23398) -+++ src/lib/crypto/enc_provider/aes.c (working copy) -@@ -105,9 +105,11 @@ - nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; - - if (nblocks == 1) { -- /* XXX Used for DK function. */ -+ /* Used when deriving keys. */ -+ if (input->length < BLOCK_SIZE) -+ return KRB5_BAD_MSIZE; - enc(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - unsigned int nleft; - - for (blockno = 0; blockno < nblocks - 2; blockno++) { -@@ -160,9 +162,9 @@ - - if (nblocks == 1) { - if (input->length < BLOCK_SIZE) -- abort(); -+ return KRB5_BAD_MSIZE; - dec(output->data, input->data, &ctx); -- } else { -+ } else if (nblocks > 1) { - - for (blockno = 0; blockno < nblocks - 2; blockno++) { - dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); -@@ -208,6 +210,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; - int nblocks = 0, blockno; - size_t input_length, i; -+ struct iov_block_state input_pos, output_pos; - - if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) - abort(); -@@ -224,18 +227,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ enc(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -@@ -288,6 +293,7 @@ - char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; - int nblocks = 0, blockno, i; - size_t input_length; -+ struct iov_block_state input_pos, output_pos; - - CHECK_SIZES; - -@@ -306,18 +312,20 @@ - input_length += iov->data.length; - } - -+ IOV_BLOCK_STATE_INIT(&input_pos); -+ IOV_BLOCK_STATE_INIT(&output_pos); -+ - nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; -- -- assert(nblocks > 1); -- -- { -+ if (nblocks == 1) { -+ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, -+ data, num_data, &input_pos); -+ dec(tmp2, tmp, &ctx); -+ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, -+ BLOCK_SIZE, &output_pos); -+ } else if (nblocks > 1) { - char blockN2[BLOCK_SIZE]; /* second last */ - char blockN1[BLOCK_SIZE]; /* last block */ -- struct iov_block_state input_pos, output_pos; - -- IOV_BLOCK_STATE_INIT(&input_pos); -- IOV_BLOCK_STATE_INIT(&output_pos); -- - for (blockno = 0; blockno < nblocks - 2; blockno++) { - char blockN[BLOCK_SIZE]; - -Index: src/lib/crypto/dk/dk_aead.c -=================================================================== ---- src/lib/crypto/dk/dk_aead.c (revision 23398) -+++ src/lib/crypto/dk/dk_aead.c (working copy) -@@ -248,7 +248,7 @@ - for (i = 0; i < num_data; i++) { - const krb5_crypto_iov *iov = &data[i]; - -- if (ENCRYPT_DATA_IOV(iov)) -+ if (ENCRYPT_IOV(iov)) - cipherlen += iov->data.length; - } - -Index: src/lib/crypto/dk/dk_decrypt.c -=================================================================== ---- src/lib/crypto/dk/dk_decrypt.c (revision 23398) -+++ src/lib/crypto/dk/dk_decrypt.c (working copy) -@@ -89,6 +89,12 @@ - else if (hmacsize > hashsize) - return KRB5KRB_AP_ERR_BAD_INTEGRITY; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hmacsize) -+ return KRB5_BAD_MSIZE; -+ if (output->length < input->length - blocksize - hmacsize) -+ return KRB5_BAD_MSIZE; -+ - enclen = input->length - hmacsize; - - if ((kedata = (unsigned char *) malloc(keylength)) == NULL) -Index: src/lib/crypto/raw/raw_decrypt.c -=================================================================== ---- src/lib/crypto/raw/raw_decrypt.c (revision 23398) -+++ src/lib/crypto/raw/raw_decrypt.c (working copy) -@@ -34,5 +34,7 @@ - const krb5_data *ivec, const krb5_data *input, - krb5_data *output) - { -+ if (output->length < input->length) -+ return KRB5_BAD_MSIZE; - return((*(enc->decrypt))(key, ivec, input, output)); - } -Index: src/lib/crypto/deps -=================================================================== ---- src/lib/crypto/deps (revision 23398) -+++ src/lib/crypto/deps (working copy) -@@ -463,6 +463,16 @@ - $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ - $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ - $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c -+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ -+ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ -+ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -+ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ -+ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ -+ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ -+ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ -+ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ -+ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ -+ t_short.c - t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ -Index: src/lib/crypto/t_short.c -=================================================================== ---- src/lib/crypto/t_short.c (revision 0) -+++ src/lib/crypto/t_short.c (revision 0) -@@ -0,0 +1,126 @@ -+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -+/* -+ * lib/crypto/crypto_tests/t_short.c -+ * -+ * Copyright (C) 2009 by the Massachusetts Institute of Technology. -+ * All rights reserved. -+ * -+ * Export of this software from the United States of America may -+ * require a specific license from the United States Government. -+ * It is the responsibility of any person or organization contemplating -+ * export to obtain such a license before exporting. -+ * -+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -+ * distribute this software and its documentation for any purpose and -+ * without fee is hereby granted, provided that the above copyright -+ * notice appear in all copies and that both that copyright notice and -+ * this permission notice appear in supporting documentation, and that -+ * the name of M.I.T. not be used in advertising or publicity pertaining -+ * to distribution of the software without specific, written prior -+ * permission. Furthermore if you modify this software you must label -+ * your software as modified software and not distribute it in such a -+ * fashion that it might be confused with the original M.I.T. software. -+ * M.I.T. makes no representations about the suitability of -+ * this software for any purpose. It is provided "as is" without express -+ * or implied warranty. -+ * -+ * Tests the outcome of decrypting overly short tokens. This program can be -+ * run under a tool like valgrind to detect bad memory accesses; when run -+ * normally by the test suite, it verifies that each operation returns -+ * KRB5_BAD_MSIZE. -+ */ -+ -+#include "k5-int.h" -+ -+krb5_enctype interesting_enctypes[] = { -+ ENCTYPE_DES_CBC_CRC, -+ ENCTYPE_DES_CBC_MD4, -+ ENCTYPE_DES_CBC_MD5, -+ ENCTYPE_DES3_CBC_SHA1, -+ ENCTYPE_ARCFOUR_HMAC, -+ ENCTYPE_ARCFOUR_HMAC_EXP, -+ ENCTYPE_AES256_CTS_HMAC_SHA1_96, -+ ENCTYPE_AES128_CTS_HMAC_SHA1_96, -+ 0 -+}; -+ -+/* Abort if an operation unexpectedly fails. */ -+static void -+x(krb5_error_code code) -+{ -+ if (code != 0) -+ abort(); -+} -+ -+/* Abort if a decrypt operation doesn't have the expected result. */ -+static void -+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) -+{ -+ if (len < min_len) { -+ /* Undersized tokens should always result in BAD_MSIZE. */ -+ if (code != KRB5_BAD_MSIZE) -+ abort(); -+ } else { -+ /* Min-size tokens should succeed or fail the integrity check. */ -+ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ abort(); -+ } -+} -+ -+static void -+test_enctype(krb5_enctype enctype) -+{ -+ krb5_error_code ret; -+ krb5_keyblock keyblock; -+ krb5_enc_data input; -+ krb5_data output; -+ krb5_crypto_iov iov[2]; -+ unsigned int dummy; -+ size_t min_len, len; -+ -+ printf("Testing enctype %d\n", (int) enctype); -+ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); -+ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); -+ input.enctype = enctype; -+ -+ /* Try each length up to the minimum length. */ -+ for (len = 0; len <= min_len; len++) { -+ input.ciphertext.data = calloc(len, 1); -+ input.ciphertext.length = len; -+ output.data = calloc(len, 1); -+ output.length = len; -+ -+ /* Attempt a normal decryption. */ -+ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); -+ check_decrypt_result(ret, len, min_len); -+ -+ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, -+ &dummy) == 0) { -+ /* Attempt an IOV stream decryption. */ -+ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; -+ iov[0].data = input.ciphertext; -+ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; -+ iov[1].data.data = NULL; -+ iov[1].data.length = 0; -+ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); -+ check_decrypt_result(ret, len, min_len); -+ } -+ -+ free(input.ciphertext.data); -+ free(output.data); -+ } -+} -+ -+int -+main(int argc, char **argv) -+{ -+ int i; -+ krb5_data notrandom; -+ -+ notrandom.data = "notrandom"; -+ notrandom.length = 9; -+ krb5_c_random_seed(NULL, ¬random); -+ for (i = 0; interesting_enctypes[i]; i++) -+ test_enctype(interesting_enctypes[i]); -+ return 0; -+} -Index: src/lib/crypto/old/old_decrypt.c -=================================================================== ---- src/lib/crypto/old/old_decrypt.c (revision 23398) -+++ src/lib/crypto/old/old_decrypt.c (working copy) -@@ -45,8 +45,10 @@ - blocksize = enc->block_size; - hashsize = hash->hashsize; - -+ /* Verify input and output lengths. */ -+ if (input->length < blocksize + hashsize || input->length % blocksize != 0) -+ return(KRB5_BAD_MSIZE); - plainsize = input->length - blocksize - hashsize; -- - if (arg_output->length < plainsize) - return(KRB5_BAD_MSIZE); - diff --git a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch b/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch deleted file mode 100644 index 310963c2390a..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2009-0844+CVE-2009-0847.patch +++ /dev/null @@ -1,48 +0,0 @@ -Index: krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c -=================================================================== ---- krb5-1.6.3.orig/src/lib/gssapi/spnego/spnego_mech.c -+++ krb5-1.6.3/src/lib/gssapi/spnego/spnego_mech.c -@@ -1815,7 +1815,8 @@ get_input_token(unsigned char **buff_in, - return (NULL); - - input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); -- if ((int)input_token->length == -1) { -+ if ((int)input_token->length == -1 || -+ input_token->length > buff_length) { - free(input_token); - return (NULL); - } -Index: krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c -=================================================================== ---- krb5-1.6.3.orig/src/lib/krb5/asn.1/asn1buf.c -+++ krb5-1.6.3/src/lib/krb5/asn.1/asn1buf.c -@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1bu - - asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) - { -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - subbuf->base = subbuf->next = buf->next; - if (!indef) { -+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; - subbuf->bound = subbuf->base + length - 1; -- if (subbuf->bound > buf->bound) -- return ASN1_OVERRUN; - } else /* constructed indefinite */ - subbuf->bound = buf->bound; - return 0; -@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstri - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; -@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstrin - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; diff --git a/app-crypt/mit-krb5/files/CVE-2009-0846.patch b/app-crypt/mit-krb5/files/CVE-2009-0846.patch deleted file mode 100644 index efbb9af889ee..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2009-0846.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/src/lib/krb5/asn.1/asn1_decode.c -b/src/lib/krb5/asn.1/asn1_decode.c -index aa4be32..5f7461d 100644 ---- a/src/lib/krb5/asn.1/asn1_decode.c -+++ b/src/lib/krb5/asn.1/asn1_decode.c -@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) - - if(length != 15) return ASN1_BAD_LENGTH; - retval = asn1buf_remove_charstring(buf,15,&s); -+ if (retval) return retval; - /* Time encoding: YYYYMMDDhhmmssZ */ - if(s[14] != 'Z') { - free(s); -diff --git a/src/tests/asn.1/krb5_decode_test.c -b/src/tests/asn.1/krb5_decode_test.c -index 0ff9343..1c427d1 100644 ---- a/src/tests/asn.1/krb5_decode_test.c -+++ b/src/tests/asn.1/krb5_decode_test.c -@@ -485,5 +485,21 @@ int main(argc, argv) - ktest_destroy_keyblock(&(ref.subkey)); - ref.seq_number = 0; - decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); -+ -+ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); -+ if (retval) { -+ com_err("krb5_decode_test", retval, "while parsing"); -+ exit(1); -+ } -+ retval = decode_krb5_ap_rep_enc_part(&code, &var); -+ if (retval != ASN1_OVERRUN) { -+ printf("ERROR: "); -+ } else { -+ printf("OK: "); -+ } -+ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); -+ krb5_free_data_contents(test_context, &code); -+ krb5_free_ap_rep_enc_part(test_context, var); -+ - ktest_empty_ap_rep_enc_part(&ref); - } diff --git a/app-crypt/mit-krb5/files/CVE-2010-1320.patch b/app-crypt/mit-krb5/files/CVE-2010-1320.patch deleted file mode 100644 index bb6261f48144..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2010-1320.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c -index b2f0655..76ca94a 100644 ---- a/src/kdc/do_tgs_req.c -+++ b/src/kdc/do_tgs_req.c -@@ -543,6 +543,7 @@ tgt_again: - to the caller */ - ticket_reply = *(header_ticket); - enc_tkt_reply = *(header_ticket->enc_part2); -+ enc_tkt_reply.authorization_data = NULL; - clear(enc_tkt_reply.flags, TKT_FLG_INVALID); - } - -@@ -554,6 +555,7 @@ tgt_again: - to the caller */ - ticket_reply = *(header_ticket); - enc_tkt_reply = *(header_ticket->enc_part2); -+ enc_tkt_reply.authorization_data = NULL; - - old_life = enc_tkt_reply.times.endtime - enc_tkt_reply.times.starttime; - diff --git a/app-crypt/mit-krb5/files/CVE-2010-1321.patch b/app-crypt/mit-krb5/files/CVE-2010-1321.patch deleted file mode 100644 index 7f9f7a4c94af..000000000000 --- a/app-crypt/mit-krb5/files/CVE-2010-1321.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c -index ce3075f..6241055 100644 ---- a/src/lib/gssapi/krb5/accept_sec_context.c -+++ b/src/lib/gssapi/krb5/accept_sec_context.c -@@ -607,6 +607,13 @@ kg_accept_krb5(minor_status, context_handle, - } - #endif - -+ if (authdat->checksum == NULL) { -+ /* missing checksum counts as "inappropriate type" */ -+ code = KRB5KRB_AP_ERR_INAPP_CKSUM; -+ major_status = GSS_S_FAILURE; -+ goto fail; -+ } -+ - if (authdat->checksum->checksum_type != CKSUMTYPE_KG_CB) { - /* Samba does not send 0x8003 GSS-API checksums */ - krb5_boolean valid; diff --git a/app-crypt/mit-krb5/files/MITKRB5-SA-2008-002.patch b/app-crypt/mit-krb5/files/MITKRB5-SA-2008-002.patch deleted file mode 100644 index b2ec6df1af5e..000000000000 --- a/app-crypt/mit-krb5/files/MITKRB5-SA-2008-002.patch +++ /dev/null @@ -1,71 +0,0 @@ ---- src/lib/rpc/svc.c (revision 1666) -+++ src/lib/rpc/svc.c (local) -@@ -109,15 +109,17 @@ - if (sock < FD_SETSIZE) { - xports[sock] = xprt; - FD_SET(sock, &svc_fdset); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #else - if (sock < NOFILE) { - xports[sock] = xprt; - svc_fds |= (1 << sock); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #endif /* def FD_SETSIZE */ -- if (sock > svc_maxfd) -- svc_maxfd = sock; - } - - /* ---- src/lib/rpc/svc_tcp.c (revision 1666) -+++ src/lib/rpc/svc_tcp.c (local) -@@ -54,6 +54,14 @@ - extern errno; - */ - -+#ifndef FD_SETSIZE -+#ifdef NBBY -+#define NOFILE (sizeof(int) * NBBY) -+#else -+#define NOFILE (sizeof(int) * 8) -+#endif -+#endif -+ - /* - * Ops vector for TCP/IP based rpc service handle - */ -@@ -221,6 +221,19 @@ - register SVCXPRT *xprt; - register struct tcp_conn *cd; - -+#ifdef FD_SETSIZE -+ if (fd >= FD_SETSIZE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#else -+ if (fd >= NOFILE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#endif - xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); - if (xprt == (SVCXPRT *)NULL) { - (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); -@@ -271,6 +292,10 @@ - * make a new transporter (re-uses xprt) - */ - xprt = makefd_xprt(sock, r->sendsize, r->recvsize); -+ if (xprt == NULL) { -+ close(sock); -+ return (FALSE); -+ } - xprt->xp_raddr = addr; - xprt->xp_addrlen = len; - xprt->xp_laddr = laddr; - diff --git a/app-crypt/mit-krb5/files/mit-krb5-lazyldflags.patch b/app-crypt/mit-krb5/files/mit-krb5-lazyldflags.patch deleted file mode 100644 index ad2adc1dd0dc..000000000000 --- a/app-crypt/mit-krb5/files/mit-krb5-lazyldflags.patch +++ /dev/null @@ -1,19 +0,0 @@ ---- krb5-1.4/src/clients/ksu/Makefile.in.orig 2004-04-29 18:51:10.000000000 -0400 -+++ krb5-1.4/src/clients/ksu/Makefile.in 2005-04-28 16:51:37.000000000 -0400 -@@ -8,6 +8,7 @@ - PROG_RPATH=$(KRB5_LIBDIR) - - KSU_LIBS=@KSU_LIBS@ -+LAZY_LDFLAGS=-Wl,-z,now - - SRCS = \ - $(srcdir)/krb_auth_su.c \ -@@ -28,7 +29,7 @@ - all:: ksu - - ksu: $(OBJS) $(KRB5_BASE_DEPLIBS) -- $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) -+ $(CC_LINK) -o $@ $(OBJS) $(KRB5_BASE_LIBS) $(KSU_LIBS) $(LAZY_LDFLAGS) - - clean:: - $(RM) ksu |