diff options
| author |   Tom Canich <tcanich@canich.net> | 2010-05-13 00:36:58 +0200 |
|---|---|---|
| committer |   Erik Hanson <erik@slackbuilds.org> | 2010-05-13 00:36:58 +0200 |
| commit | 56c0dd0c4004a9be004140854ca4a3a075cf0872 (patch) | |
| tree | b71274244d03b9c8ebe1399f5fc9713bf7d06917 /network/krb5 | |
| parent | f517df9fc79666e2bfd37d5c2169061193f60c88 (diff) | |
| download | slackbuilds-56c0dd0c4004a9be004140854ca4a3a075cf0872.tar.gz slackbuilds-56c0dd0c4004a9be004140854ca4a3a075cf0872.tar.xz | |
network/krb5: Updated for version 1.7
Diffstat (limited to 'network/krb5')
| -rw-r--r-- | network/krb5/README | 10 | ||||
| -rw-r--r-- | network/krb5/krb5.SlackBuild | 33 | ||||
| -rw-r--r-- | network/krb5/krb5.info | 9 | ||||
| -rw-r--r-- | network/krb5/patches/2008-001-patch.txt | 337 | ||||
| -rw-r--r-- | network/krb5/patches/2008-002-patch.txt | 72 | ||||
| -rw-r--r-- | network/krb5/patches/2009-001-patch.txt | 187 | ||||
| -rw-r--r-- | network/krb5/patches/2009-002-patch.txt | 35 | ||||
| -rw-r--r-- | network/krb5/patches/2009-003-patch.txt | 27 | ||||
| -rw-r--r-- | network/krb5/patches/2009-004-patch_1.7.txt | 377 |
9 files changed, 436 insertions, 651 deletions
diff --git a/network/krb5/README b/network/krb5/README index cf7ab7dde3..1cc2092fff 100644 --- a/network/krb5/README +++ b/network/krb5/README @@ -3,3 +3,13 @@ provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well. + +This package includes patches for security advisories: + +MITKRB5-SA-2009-004 + integer underflow in AES and RC4 decryption +MITKRB5-SA-2009-003 + KDC denial of service in cross-realm referral processing + +For further information about these advisories, please see +http://web.mit.edu/kerberos/advisories/ diff --git a/network/krb5/krb5.SlackBuild b/network/krb5/krb5.SlackBuild index 80d7d5a899..90515f8892 100644 --- a/network/krb5/krb5.SlackBuild +++ b/network/krb5/krb5.SlackBuild @@ -6,13 +6,13 @@ # All rights reserved. # # Redistribution and use in source and binary forms, with or without -# modification, are permitted provided that the following conditions +# modification, are permitted provided that the following conditions # are met: # * Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # * Redistributions in binary form must reproduce the above -# copyright notice, this list of conditions and the following -# disclaimer in the documentation and/or other materials +# copyright notice, this list of conditions and the following +# disclaimer in the documentation and/or other materials # provided with the distribution. # * Neither the name of Tom Canich nor the names of other contributors # may be used to endorse or promote products derived from this @@ -20,20 +20,20 @@ # # THIS SOFTWARE IS PROVIDED BY Tom Canich ''AS IS'' AND ANY # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE -# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER -# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE +# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER +# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. PRGNAM=krb5 -VERSION=${VERSION:-1.6.3} +VERSION=${VERSION:-1.7} ARCH=${ARCH:-i486} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} TAG=${TAG:-_SBo} CWD=$(pwd) @@ -62,10 +62,9 @@ rm -f $TMP/$PRGNAM-$VERSION.tar.gz{,.asc} tar xvf $CWD/$PRGNAM-$VERSION-signed.tar -C $TMP tar xvf $TMP/$PRGNAM-$VERSION.tar.gz cd $PRGNAM-$VERSION/src -patch -p0 -d .. < $CWD/patches/2008-001-patch.txt -patch -p0 -d .. < $CWD/patches/2008-002-patch.txt -patch -p0 -d .. < $CWD/patches/2009-001-patch.txt -patch -p0 -d .. < $CWD/patches/2009-002-patch.txt + +patch -p2 -i $CWD/patches/2009-003-patch.txt +patch -p1 -i $CWD/patches/2009-004-patch_1.7.txt CFLAGS="$SLKCFLAGS" \ CXXFLAGS="$SLKCFLAGS" \ @@ -111,4 +110,4 @@ mkdir -p $PKG/install cat $CWD/slack-desc > $PKG/install/slack-desc cd $PKG -/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.tgz +/sbin/makepkg -l y -c n $OUTPUT/$PRGNAM-$VERSION-$ARCH-$BUILD$TAG.${PKGTYPE:-tgz} diff --git a/network/krb5/krb5.info b/network/krb5/krb5.info index bace9977ec..30d96bb3c7 100644 --- a/network/krb5/krb5.info +++ b/network/krb5/krb5.info @@ -1,7 +1,10 @@ PRGNAM="krb5" -VERSION="1.6.3" +VERSION="1.7" HOMEPAGE="http://web.mit.edu/kerberos/" -DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.6/krb5-1.6.3-signed.tar" -MD5SUM="2dc1307686eb1c2bf1ab08ea805dad46" +DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar" +MD5SUM="9f7b3402b4731a7fa543db193bf1b564" +DOWNLOAD_x86_64="" +MD5SUM_x86_64="" MAINTAINER="Tom Canich" EMAIL="tcanich@canich.net" +APPROVED="Erik Hanson" diff --git a/network/krb5/patches/2008-001-patch.txt b/network/krb5/patches/2008-001-patch.txt deleted file mode 100644 index b26b9fddcf..0000000000 --- a/network/krb5/patches/2008-001-patch.txt +++ /dev/null @@ -1,337 +0,0 @@ -Index: src/kdc/dispatch.c -=================================================================== ---- src/kdc/dispatch.c (revision 20192) -+++ src/kdc/dispatch.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/dispatch.c - * -- * Copyright 1990 by the Massachusetts Institute of Technology. -+ * Copyright 1990, 2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -107,7 +107,7 @@ - retval = KRB5KRB_AP_ERR_MSG_TYPE; - #ifndef NOCACHE - /* put the response into the lookaside buffer */ -- if (!retval) -+ if (!retval && *response != NULL) - kdc_insert_lookaside(pkt, *response); - #endif - -Index: src/kdc/kerberos_v4.c -=================================================================== ---- src/kdc/kerberos_v4.c (revision 20192) -+++ src/kdc/kerberos_v4.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/kerberos_v4.c - * -- * Copyright 1985, 1986, 1987, 1988,1991 by the Massachusetts Institute -+ * Copyright 1985, 1986, 1987, 1988,1991,2007 by the Massachusetts Institute - * of Technology. - * All Rights Reserved. - * -@@ -87,11 +87,6 @@ - #define MSB_FIRST 0 /* 68000, IBM RT/PC */ - #define LSB_FIRST 1 /* Vax, PC8086 */ - --int f; -- --/* XXX several files in libkdb know about this */ --char *progname; -- - #ifndef BACKWARD_COMPAT - static Key_schedule master_key_schedule; - static C_Block master_key; -@@ -143,10 +138,8 @@ - #include "com_err.h" - #include "extern.h" /* to pick up master_princ */ - --static krb5_data *response; -- --void kerberos_v4 (struct sockaddr_in *, KTEXT); --void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); -+static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); -+static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); - static int set_tgtkey (char *, krb5_kvno, krb5_boolean); - - /* Attributes converted from V5 to V4 - internal representation */ -@@ -262,12 +255,12 @@ - (void) klog(L_KRB_PERR, "V4 request too long."); - return KRB5KRB_ERR_FIELD_TOOLONG; - } -+ memset( &v4_pkt, 0, sizeof(v4_pkt)); - v4_pkt.length = pkt->length; - v4_pkt.mbz = 0; - memcpy( v4_pkt.dat, pkt->data, pkt->length); - -- kerberos_v4( &client_sockaddr, &v4_pkt); -- *resp = response; -+ *resp = kerberos_v4( &client_sockaddr, &v4_pkt); - return(retval); - } - -@@ -300,19 +293,20 @@ - } - - static --int krb4_sendto(int s, const char *msg, int len, int flags, -- const struct sockaddr *to, int to_len) -+krb5_data *make_response(const char *msg, int len) - { -+ krb5_data *response; -+ - if ( !(response = (krb5_data *) malloc( sizeof *response))) { -- return ENOMEM; -+ return 0; - } - if ( !(response->data = (char *) malloc( len))) { - krb5_free_data(kdc_context, response); -- return ENOMEM; -+ return 0; - } - response->length = len; - memcpy( response->data, msg, len); -- return( 0); -+ return response; - } - static void - hang(void) -@@ -586,7 +580,7 @@ - *cp = 0; - } - --void -+static krb5_data * - kerberos_v4(struct sockaddr_in *client, KTEXT pkt) - { - static KTEXT_ST rpkt_st; -@@ -599,8 +593,8 @@ - KTEXT auth = &auth_st; - AUTH_DAT ad_st; - AUTH_DAT *ad = &ad_st; -+ krb5_data *response = 0; - -- - static struct in_addr client_host; - static int msg_byte_order; - static int swap_bytes; -@@ -637,8 +631,7 @@ - inet_ntoa(client_host)); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - - /* check packet version */ -@@ -648,8 +641,7 @@ - KRB_PROT_VERSION, req_version, 0); - /* send an error reply */ - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - } - msg_byte_order = req_msg_type & 1; - -@@ -707,10 +699,10 @@ - - if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, - &a_name_data, &k5key, 0, &ck5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_low = a_name_data.key_high = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* don't use k5key for client */ - krb5_free_keyblock_contents(kdc_context, &k5key); -@@ -722,11 +714,11 @@ - /* this does all the checking */ - if ((i = check_princ(service, instance, lifetime, - &s_name_data, &k5key, 1, &sk5life))) { -- kerb_err_reply(client, pkt, i, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, i, "check_princ failed"); - a_name_data.key_high = a_name_data.key_low = 0; - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); -@@ -797,8 +789,7 @@ - rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, - req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, - a_name_data.key_version, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&a_name_data, 0, sizeof(a_name_data)); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; -@@ -824,9 +815,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with realm length too long from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "realm length too long"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "realm length too long"); - } - - auth->length += (int) *(pkt->dat + auth->length) + -@@ -835,9 +825,8 @@ - lt = klog(L_KRB_PERR, - "APPL request with funky tkt or req_id length from %s", - inet_ntoa(client_host)); -- kerb_err_reply(client, pkt, RD_AP_INCON, -- "funky tkt or req_id length"); -- return; -+ return kerb_err_reply(client, pkt, RD_AP_INCON, -+ "funky tkt or req_id length"); - } - - memcpy(auth->dat, pkt->dat, auth->length); -@@ -848,18 +837,16 @@ - if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { - lt = klog(L_ERR_UNK, - "Cross realm ticket from %s denied by policy,", tktrlm); -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - if (set_tgtkey(tktrlm, kvno, 0)) { -- lt = klog(L_ERR_UNK, -+ lt = klog(L_ERR_UNK, - "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -869,9 +856,8 @@ - "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", - tktrlm, kvno, inet_ntoa(client_host)); - /* no better error code */ -- kerb_err_reply(client, pkt, -- KERB_ERR_PRINCIPAL_UNKNOWN, lt); -- return; -+ return kerb_err_reply(client, pkt, -+ KERB_ERR_PRINCIPAL_UNKNOWN, lt); - } - kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, - ad, 0); -@@ -881,8 +867,7 @@ - klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", - inet_ntoa(client_host), krb_get_err_text(kerno)); - req_name_ptr = req_inst_ptr = req_realm_ptr = ""; -- kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); -- return; -+ return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - } - ptr = (char *) pkt->dat + auth->length; - -@@ -904,22 +889,21 @@ - req_realm_ptr = ad->prealm; - - if (strcmp(ad->prealm, tktrlm)) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't hop realms"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't hop realms"); - } - if (!strcmp(service, "changepw")) { -- kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -- "Can't authorize password changed based on TGT"); -- return; -+ return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, -+ "Can't authorize password changed based on TGT"); - } - kerno = check_princ(service, instance, req_life, - &s_name_data, &k5key, 1, &sk5life); - if (kerno) { -- kerb_err_reply(client, pkt, kerno, "check_princ failed"); -+ response = kerb_err_reply(client, pkt, kerno, -+ "check_princ failed"); - s_name_data.key_high = s_name_data.key_low = 0; - krb5_free_keyblock_contents(kdc_context, &k5key); -- return; -+ return response; - } - /* Bound requested lifetime with service and user */ - v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); -@@ -975,8 +959,7 @@ - rpkt = create_auth_reply(ad->pname, ad->pinst, - ad->prealm, time_ws, - 0, 0, 0, ciph); -- krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -+ response = make_response((char *) rpkt->dat, rpkt->length); - memset(&s_name_data, 0, sizeof(s_name_data)); - break; - } -@@ -1001,6 +984,7 @@ - break; - } - } -+ return response; - } - - -@@ -1010,7 +994,7 @@ - * client. - */ - --void -+static krb5_data * - kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) - { - static KTEXT_ST e_pkt_st; -@@ -1021,9 +1005,7 @@ - strncat(e_msg, string, sizeof(e_msg) - 1 - 19); - cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, - req_time_ws, err, e_msg); -- krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, -- (struct sockaddr *) client, sizeof (struct sockaddr_in)); -- -+ return make_response((char *) e_pkt->dat, e_pkt->length); - } - - static int -Index: src/kdc/network.c -=================================================================== ---- src/kdc/network.c (revision 20192) -+++ src/kdc/network.c (working copy) -@@ -1,7 +1,7 @@ - /* - * kdc/network.c - * -- * Copyright 1990,2000 by the Massachusetts Institute of Technology. -+ * Copyright 1990,2000,2007 by the Massachusetts Institute of Technology. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. -@@ -747,6 +747,8 @@ - com_err(prog, retval, "while dispatching (udp)"); - return; - } -+ if (response == NULL) -+ return; - cc = sendto(port_fd, response->data, (socklen_t) response->length, 0, - (struct sockaddr *)&saddr, saddr_len); - if (cc == -1) { diff --git a/network/krb5/patches/2008-002-patch.txt b/network/krb5/patches/2008-002-patch.txt deleted file mode 100644 index b2bb46b651..0000000000 --- a/network/krb5/patches/2008-002-patch.txt +++ /dev/null @@ -1,72 +0,0 @@ ---- src/lib/rpc/svc.c (revision 1666) -+++ src/lib/rpc/svc.c (local) -@@ -109,15 +109,17 @@ - if (sock < FD_SETSIZE) { - xports[sock] = xprt; - FD_SET(sock, &svc_fdset); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #else - if (sock < NOFILE) { - xports[sock] = xprt; - svc_fds |= (1 << sock); -+ if (sock > svc_maxfd) -+ svc_maxfd = sock; - } - #endif /* def FD_SETSIZE */ -- if (sock > svc_maxfd) -- svc_maxfd = sock; - } - - /* - ---- src/lib/rpc/svc_tcp.c (revision 1666) -+++ src/lib/rpc/svc_tcp.c (local) -@@ -54,6 +54,14 @@ - extern errno; - */ - -+#ifndef FD_SETSIZE -+#ifdef NBBY -+#define NOFILE (sizeof(int) * NBBY) -+#else -+#define NOFILE (sizeof(int) * 8) -+#endif -+#endif -+ - /* - * Ops vector for TCP/IP based rpc service handle - */ -@@ -215,6 +223,19 @@ - register SVCXPRT *xprt; - register struct tcp_conn *cd; - -+#ifdef FD_SETSIZE -+ if (fd >= FD_SETSIZE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#else -+ if (fd >= NOFILE) { -+ (void) fprintf(stderr, "svc_tcp: makefd_xprt: fd too high\n"); -+ xprt = NULL; -+ goto done; -+ } -+#endif - xprt = (SVCXPRT *)mem_alloc(sizeof(SVCXPRT)); - if (xprt == (SVCXPRT *)NULL) { - (void) fprintf(stderr, "svc_tcp: makefd_xprt: out of memory\n"); -@@ -271,6 +292,10 @@ - * make a new transporter (re-uses xprt) - */ - xprt = makefd_xprt(sock, r->sendsize, r->recvsize); -+ if (xprt == NULL) { -+ close(sock); -+ return (FALSE); -+ } - xprt->xp_raddr = addr; - xprt->xp_addrlen = len; - xprt->xp_laddr = laddr; - diff --git a/network/krb5/patches/2009-001-patch.txt b/network/krb5/patches/2009-001-patch.txt deleted file mode 100644 index 7485169ae4..0000000000 --- a/network/krb5/patches/2009-001-patch.txt +++ /dev/null @@ -1,187 +0,0 @@ ---- src/lib/gssapi/spnego/spnego_mech.c -+++ src/lib/gssapi/spnego/spnego_mech.c -@@ -54,8 +54,8 @@ typedef const gss_OID_desc *gss_OID_const; - - /* der routines defined in libgss */ - extern unsigned int gssint_der_length_size(OM_uint32); --extern int gssint_get_der_length(unsigned char **, OM_uint32, OM_uint32*); --extern int gssint_put_der_length(OM_uint32, unsigned char **, OM_uint32); -+extern int gssint_get_der_length(unsigned char **, OM_uint32, unsigned int*); -+extern int gssint_put_der_length(OM_uint32, unsigned char **, unsigned int); - - - /* private routines for spnego_mechanism */ -@@ -1249,7 +1249,8 @@ spnego_gss_accept_sec_context(void *ct, - } - cleanup: - if (return_token != NO_TOKEN_SEND && return_token != CHECK_MIC) { -- tmpret = make_spnego_tokenTarg_msg(negState, sc->internal_mech, -+ tmpret = make_spnego_tokenTarg_msg(negState, -+ sc ? sc->internal_mech : GSS_C_NO_OID, - &mechtok_out, mic_out, - return_token, - output_token); -@@ -1802,22 +1803,16 @@ static gss_buffer_t - get_input_token(unsigned char **buff_in, unsigned int buff_length) - { - gss_buffer_t input_token; -- unsigned int bytes; -+ unsigned int len; - -- if (**buff_in != OCTET_STRING) -+ if (g_get_tag_and_length(buff_in, OCTET_STRING, buff_length, &len) < 0) - return (NULL); - -- (*buff_in)++; - input_token = (gss_buffer_t)malloc(sizeof (gss_buffer_desc)); -- - if (input_token == NULL) - return (NULL); - -- input_token->length = gssint_get_der_length(buff_in, buff_length, &bytes); -- if ((int)input_token->length == -1) { -- free(input_token); -- return (NULL); -- } -+ input_token->length = len; - input_token->value = malloc(input_token->length); - - if (input_token->value == NULL) { -@@ -1869,8 +1864,8 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, - { - gss_OID_set returned_mechSet; - OM_uint32 major_status; -- OM_uint32 length; -- OM_uint32 bytes; -+ int length; -+ unsigned int bytes; - OM_uint32 set_length; - unsigned char *start; - int i; -@@ -1882,22 +1877,25 @@ get_mech_set(OM_uint32 *minor_status, unsigned char **buff_in, - (*buff_in)++; - - length = gssint_get_der_length(buff_in, buff_length, &bytes); -+ if (length < 0 || buff_length - bytes < (unsigned int)length) -+ return NULL; - - major_status = gss_create_empty_oid_set(minor_status, - &returned_mechSet); - if (major_status != GSS_S_COMPLETE) - return (NULL); - -- for (set_length = 0, i = 0; set_length < length; i++) { -+ for (set_length = 0, i = 0; set_length < (unsigned int)length; i++) { - gss_OID_desc *temp = get_mech_oid(minor_status, buff_in, - buff_length - (*buff_in - start)); -- if (temp != NULL) { -- major_status = gss_add_oid_set_member(minor_status, -- temp, &returned_mechSet); -- if (major_status == GSS_S_COMPLETE) { -+ if (temp == NULL) -+ break; -+ -+ major_status = gss_add_oid_set_member(minor_status, -+ temp, &returned_mechSet); -+ if (major_status == GSS_S_COMPLETE) { - set_length += returned_mechSet->elements[i].length +2; - generic_gss_release_oid(minor_status, &temp); -- } - } - } - -@@ -2097,7 +2095,7 @@ get_negTokenResp(OM_uint32 *minor_status, - return GSS_S_DEFECTIVE_TOKEN; - if (*ptr++ == SEQUENCE) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - } - if (REMAIN < 1) -@@ -2107,7 +2105,7 @@ get_negTokenResp(OM_uint32 *minor_status, - - if (tag == CONTEXT) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - if (g_get_tag_and_length(&ptr, ENUMERATED, -@@ -2128,7 +2126,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x01)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *supportedMech = get_mech_oid(minor_status, &ptr, REMAIN); -@@ -2142,7 +2140,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x02)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *responseToken = get_input_token(&ptr, REMAIN); -@@ -2156,7 +2154,7 @@ get_negTokenResp(OM_uint32 *minor_status, - } - if (tag == (CONTEXT | 0x03)) { - tmplen = gssint_get_der_length(&ptr, REMAIN, &bytes); -- if (tmplen < 0) -+ if (tmplen < 0 || REMAIN < (unsigned int)tmplen) - return GSS_S_DEFECTIVE_TOKEN; - - *mechListMIC = get_input_token(&ptr, REMAIN); -@@ -2464,6 +2462,8 @@ make_spnego_tokenTarg_msg(OM_uint32 status, gss_OID mech_wanted, - - if (outbuf == GSS_C_NO_BUFFER) - return (GSS_S_DEFECTIVE_TOKEN); -+ if (sendtoken == INIT_TOKEN_SEND && mech_wanted == GSS_C_NO_OID) -+ return (GSS_S_DEFECTIVE_TOKEN); - - outbuf->length = 0; - outbuf->value = NULL; -@@ -2715,7 +2715,7 @@ g_get_tag_and_length(unsigned char **buf, int tag, - &encoded_len); - if (tmplen < 0) { - ret = -1; -- } else if (tmplen > buflen - (ptr - *buf)) { -+ } else if ((unsigned int)tmplen > buflen - (ptr - *buf)) { - ret = -1; - } else - ret = 0; ---- src/lib/krb5/asn.1/asn1buf.c -+++ src/lib/krb5/asn.1/asn1buf.c -@@ -78,11 +78,11 @@ asn1_error_code asn1buf_wrap_data(asn1buf *buf, const krb5_data *code) - - asn1_error_code asn1buf_imbed(asn1buf *subbuf, const asn1buf *buf, const unsigned int length, const int indef) - { -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - subbuf->base = subbuf->next = buf->next; - if (!indef) { -+ if (length > (size_t)(buf->bound + 1 - buf->next)) return ASN1_OVERRUN; - subbuf->bound = subbuf->base + length - 1; -- if (subbuf->bound > buf->bound) -- return ASN1_OVERRUN; - } else /* constructed indefinite */ - subbuf->bound = buf->bound; - return 0; -@@ -200,6 +200,7 @@ asn1_error_code asn1buf_remove_octetstring(asn1buf *buf, const unsigned int len, - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; -@@ -218,6 +219,7 @@ asn1_error_code asn1buf_remove_charstring(asn1buf *buf, const unsigned int len, - { - int i; - -+ if (buf->next > buf->bound + 1) return ASN1_OVERRUN; - if (len > buf->bound + 1 - buf->next) return ASN1_OVERRUN; - if (len == 0) { - *s = 0; diff --git a/network/krb5/patches/2009-002-patch.txt b/network/krb5/patches/2009-002-patch.txt deleted file mode 100644 index 49bf29f07c..0000000000 --- a/network/krb5/patches/2009-002-patch.txt +++ /dev/null @@ -1,35 +0,0 @@ ---- src/lib/krb5/asn.1/asn1_decode.c -+++ src/lib/krb5/asn.1/asn1_decode.c -@@ -231,6 +231,7 @@ asn1_error_code asn1_decode_generaltime(asn1buf *buf, time_t *val) - - if(length != 15) return ASN1_BAD_LENGTH; - retval = asn1buf_remove_charstring(buf,15,&s); -+ if (retval) return retval; - /* Time encoding: YYYYMMDDhhmmssZ */ - if(s[14] != 'Z') { - free(s); ---- src/tests/asn.1/krb5_decode_test.c -+++ src/tests/asn.1/krb5_decode_test.c -@@ -485,6 +485,22 @@ int main(argc, argv) - ktest_destroy_keyblock(&(ref.subkey)); - ref.seq_number = 0; - decode_run("ap_rep_enc_part","(optionals NULL)","7B 1C 30 1A A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40",decode_krb5_ap_rep_enc_part,ktest_equal_ap_rep_enc_part,krb5_free_ap_rep_enc_part); -+ -+ retval = krb5_data_hex_parse(&code, "7B 06 30 04 A0 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A1 05 02 03 01 E2 40"); -+ if (retval) { -+ com_err("krb5_decode_test", retval, "while parsing"); -+ exit(1); -+ } -+ retval = decode_krb5_ap_rep_enc_part(&code, &var); -+ if (retval != ASN1_OVERRUN) { -+ printf("ERROR: "); -+ } else { -+ printf("OK: "); -+ } -+ printf("ap_rep_enc_part(optionals NULL + expect ASN1_OVERRUN for inconsistent length of timestamp)\n"); -+ krb5_free_data_contents(test_context, &code); -+ krb5_free_ap_rep_enc_part(test_context, var); -+ - ktest_empty_ap_rep_enc_part(&ref); - } - diff --git a/network/krb5/patches/2009-003-patch.txt b/network/krb5/patches/2009-003-patch.txt new file mode 100644 index 0000000000..0319cd1c97 --- /dev/null +++ b/network/krb5/patches/2009-003-patch.txt @@ -0,0 +1,27 @@ +diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c +index 298e132..12180ff 100644 +--- a/src/kdc/do_tgs_req.c ++++ b/src/kdc/do_tgs_req.c +@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ) + free(temp_buf); + if (retval) { + /* no match found */ +- kdc_err(kdc_context, retval, 0); ++ kdc_err(kdc_context, retval, "unable to find realm of host"); + goto cleanup; + } + if (realms == 0) { +diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c +index efff818..ef3735a 100644 +--- a/src/lib/kadm5/logger.c ++++ b/src/lib/kadm5/logger.c +@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list + char *cp; + char *syslogp; + ++ if (whoami == NULL || format == NULL) ++ return; ++ + /* Make the header */ + snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); + /* diff --git a/network/krb5/patches/2009-004-patch_1.7.txt b/network/krb5/patches/2009-004-patch_1.7.txt new file mode 100644 index 0000000000..df2edcade2 --- /dev/null +++ b/network/krb5/patches/2009-004-patch_1.7.txt @@ -0,0 +1,377 @@ +Index: src/lib/crypto/Makefile.in +=================================================================== +--- src/lib/crypto/Makefile.in (revision 23398) ++++ src/lib/crypto/Makefile.in (working copy) +@@ -18,6 +18,7 @@ + $(srcdir)/t_nfold.c \ + $(srcdir)/t_cf2.c \ + $(srcdir)/t_encrypt.c \ ++ $(srcdir)/t_short.c \ + $(srcdir)/t_prf.c \ + $(srcdir)/t_prng.c \ + $(srcdir)/t_hmac.c \ +@@ -206,7 +207,7 @@ + + clean-unix:: clean-liblinks clean-libs clean-libobjs + +-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 ++check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short + $(RUN_SETUP) $(VALGRIND) ./t_nfold + $(RUN_SETUP) $(VALGRIND) ./t_encrypt + $(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \ +@@ -216,6 +217,7 @@ + diff t_prf.output $(srcdir)/t_prf.expected + $(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output + diff t_cf2.output $(srcdir)/t_cf2.expected ++ $(RUN_SETUP) $(VALGRIND) ./t_short + + + # $(RUN_SETUP) $(VALGRIND) ./t_pkcs5 +@@ -249,10 +251,15 @@ + $(CC_LINK) -o $@ t_cts.$(OBJEXT) \ + $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + ++t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB) ++ $(CC_LINK) -o $@ t_short.$(OBJEXT) \ ++ $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) + ++ + clean:: + $(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \ +- t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o ++ t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \ ++ t_cf2 t_cf2.o t_short t_short.o + -$(RM) t_prng.output + + all-windows:: +Index: src/lib/crypto/arcfour/arcfour.c +=================================================================== +--- src/lib/crypto/arcfour/arcfour.c (revision 23398) ++++ src/lib/crypto/arcfour/arcfour.c (working copy) +@@ -199,6 +199,12 @@ + keylength = enc->keylength; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < hashsize + CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - hashsize - CONFOUNDERLENGTH) ++ return KRB5_BAD_MSIZE; ++ + d1.length=keybytes; + d1.data=malloc(d1.length); + if (d1.data == NULL) +Index: src/lib/crypto/enc_provider/aes.c +=================================================================== +--- src/lib/crypto/enc_provider/aes.c (revision 23398) ++++ src/lib/crypto/enc_provider/aes.c (working copy) +@@ -105,9 +105,11 @@ + nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE; + + if (nblocks == 1) { +- /* XXX Used for DK function. */ ++ /* Used when deriving keys. */ ++ if (input->length < BLOCK_SIZE) ++ return KRB5_BAD_MSIZE; + enc(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + unsigned int nleft; + + for (blockno = 0; blockno < nblocks - 2; blockno++) { +@@ -160,9 +162,9 @@ + + if (nblocks == 1) { + if (input->length < BLOCK_SIZE) +- abort(); ++ return KRB5_BAD_MSIZE; + dec(output->data, input->data, &ctx); +- } else { ++ } else if (nblocks > 1) { + + for (blockno = 0; blockno < nblocks - 2; blockno++) { + dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx); +@@ -208,6 +210,7 @@ + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE]; + int nblocks = 0, blockno; + size_t input_length, i; ++ struct iov_block_state input_pos, output_pos; + + if (aes_enc_key(key->contents, key->length, &ctx) != aes_good) + abort(); +@@ -224,18 +227,20 @@ + input_length += iov->data.length; + } + ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); ++ + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); +- +- { ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ enc(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; + +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); +- + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + +@@ -288,6 +293,7 @@ + char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE]; + int nblocks = 0, blockno, i; + size_t input_length; ++ struct iov_block_state input_pos, output_pos; + + CHECK_SIZES; + +@@ -306,18 +312,20 @@ + input_length += iov->data.length; + } + ++ IOV_BLOCK_STATE_INIT(&input_pos); ++ IOV_BLOCK_STATE_INIT(&output_pos); ++ + nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE; +- +- assert(nblocks > 1); +- +- { ++ if (nblocks == 1) { ++ krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE, ++ data, num_data, &input_pos); ++ dec(tmp2, tmp, &ctx); ++ krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2, ++ BLOCK_SIZE, &output_pos); ++ } else if (nblocks > 1) { + char blockN2[BLOCK_SIZE]; /* second last */ + char blockN1[BLOCK_SIZE]; /* last block */ +- struct iov_block_state input_pos, output_pos; + +- IOV_BLOCK_STATE_INIT(&input_pos); +- IOV_BLOCK_STATE_INIT(&output_pos); +- + for (blockno = 0; blockno < nblocks - 2; blockno++) { + char blockN[BLOCK_SIZE]; + +Index: src/lib/crypto/dk/dk_aead.c +=================================================================== +--- src/lib/crypto/dk/dk_aead.c (revision 23398) ++++ src/lib/crypto/dk/dk_aead.c (working copy) +@@ -248,7 +248,7 @@ + for (i = 0; i < num_data; i++) { + const krb5_crypto_iov *iov = &data[i]; + +- if (ENCRYPT_DATA_IOV(iov)) ++ if (ENCRYPT_IOV(iov)) + cipherlen += iov->data.length; + } + +Index: src/lib/crypto/dk/dk_decrypt.c +=================================================================== +--- src/lib/crypto/dk/dk_decrypt.c (revision 23398) ++++ src/lib/crypto/dk/dk_decrypt.c (working copy) +@@ -89,6 +89,12 @@ + else if (hmacsize > hashsize) + return KRB5KRB_AP_ERR_BAD_INTEGRITY; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hmacsize) ++ return KRB5_BAD_MSIZE; ++ if (output->length < input->length - blocksize - hmacsize) ++ return KRB5_BAD_MSIZE; ++ + enclen = input->length - hmacsize; + + if ((kedata = (unsigned char *) malloc(keylength)) == NULL) +Index: src/lib/crypto/raw/raw_decrypt.c +=================================================================== +--- src/lib/crypto/raw/raw_decrypt.c (revision 23398) ++++ src/lib/crypto/raw/raw_decrypt.c (working copy) +@@ -34,5 +34,7 @@ + const krb5_data *ivec, const krb5_data *input, + krb5_data *output) + { ++ if (output->length < input->length) ++ return KRB5_BAD_MSIZE; + return((*(enc->decrypt))(key, ivec, input, output)); + } +Index: src/lib/crypto/deps +=================================================================== +--- src/lib/crypto/deps (revision 23398) ++++ src/lib/crypto/deps (working copy) +@@ -463,6 +463,16 @@ + $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ + $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ + $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c ++t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ++ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ ++ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ ++ $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ ++ $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ ++ $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ ++ $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ ++ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ ++ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ ++ t_short.c + t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ +Index: src/lib/crypto/t_short.c +=================================================================== +--- src/lib/crypto/t_short.c (revision 0) ++++ src/lib/crypto/t_short.c (revision 0) +@@ -0,0 +1,126 @@ ++/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ ++/* ++ * lib/crypto/crypto_tests/t_short.c ++ * ++ * Copyright (C) 2009 by the Massachusetts Institute of Technology. ++ * All rights reserved. ++ * ++ * Export of this software from the United States of America may ++ * require a specific license from the United States Government. ++ * It is the responsibility of any person or organization contemplating ++ * export to obtain such a license before exporting. ++ * ++ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and ++ * distribute this software and its documentation for any purpose and ++ * without fee is hereby granted, provided that the above copyright ++ * notice appear in all copies and that both that copyright notice and ++ * this permission notice appear in supporting documentation, and that ++ * the name of M.I.T. not be used in advertising or publicity pertaining ++ * to distribution of the software without specific, written prior ++ * permission. Furthermore if you modify this software you must label ++ * your software as modified software and not distribute it in such a ++ * fashion that it might be confused with the original M.I.T. software. ++ * M.I.T. makes no representations about the suitability of ++ * this software for any purpose. It is provided "as is" without express ++ * or implied warranty. ++ * ++ * Tests the outcome of decrypting overly short tokens. This program can be ++ * run under a tool like valgrind to detect bad memory accesses; when run ++ * normally by the test suite, it verifies that each operation returns ++ * KRB5_BAD_MSIZE. ++ */ ++ ++#include "k5-int.h" ++ ++krb5_enctype interesting_enctypes[] = { ++ ENCTYPE_DES_CBC_CRC, ++ ENCTYPE_DES_CBC_MD4, ++ ENCTYPE_DES_CBC_MD5, ++ ENCTYPE_DES3_CBC_SHA1, ++ ENCTYPE_ARCFOUR_HMAC, ++ ENCTYPE_ARCFOUR_HMAC_EXP, ++ ENCTYPE_AES256_CTS_HMAC_SHA1_96, ++ ENCTYPE_AES128_CTS_HMAC_SHA1_96, ++ 0 ++}; ++ ++/* Abort if an operation unexpectedly fails. */ ++static void ++x(krb5_error_code code) ++{ ++ if (code != 0) ++ abort(); ++} ++ ++/* Abort if a decrypt operation doesn't have the expected result. */ ++static void ++check_decrypt_result(krb5_error_code code, size_t len, size_t min_len) ++{ ++ if (len < min_len) { ++ /* Undersized tokens should always result in BAD_MSIZE. */ ++ if (code != KRB5_BAD_MSIZE) ++ abort(); ++ } else { ++ /* Min-size tokens should succeed or fail the integrity check. */ ++ if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ abort(); ++ } ++} ++ ++static void ++test_enctype(krb5_enctype enctype) ++{ ++ krb5_error_code ret; ++ krb5_keyblock keyblock; ++ krb5_enc_data input; ++ krb5_data output; ++ krb5_crypto_iov iov[2]; ++ unsigned int dummy; ++ size_t min_len, len; ++ ++ printf("Testing enctype %d\n", (int) enctype); ++ x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len)); ++ x(krb5_c_make_random_key(NULL, enctype, &keyblock)); ++ input.enctype = enctype; ++ ++ /* Try each length up to the minimum length. */ ++ for (len = 0; len <= min_len; len++) { ++ input.ciphertext.data = calloc(len, 1); ++ input.ciphertext.length = len; ++ output.data = calloc(len, 1); ++ output.length = len; ++ ++ /* Attempt a normal decryption. */ ++ ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output); ++ check_decrypt_result(ret, len, min_len); ++ ++ if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER, ++ &dummy) == 0) { ++ /* Attempt an IOV stream decryption. */ ++ iov[0].flags = KRB5_CRYPTO_TYPE_STREAM; ++ iov[0].data = input.ciphertext; ++ iov[1].flags = KRB5_CRYPTO_TYPE_DATA; ++ iov[1].data.data = NULL; ++ iov[1].data.length = 0; ++ ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2); ++ check_decrypt_result(ret, len, min_len); ++ } ++ ++ free(input.ciphertext.data); ++ free(output.data); ++ } ++} ++ ++int ++main(int argc, char **argv) ++{ ++ int i; ++ krb5_data notrandom; ++ ++ notrandom.data = "notrandom"; ++ notrandom.length = 9; ++ krb5_c_random_seed(NULL, ¬random); ++ for (i = 0; interesting_enctypes[i]; i++) ++ test_enctype(interesting_enctypes[i]); ++ return 0; ++} +Index: src/lib/crypto/old/old_decrypt.c +=================================================================== +--- src/lib/crypto/old/old_decrypt.c (revision 23398) ++++ src/lib/crypto/old/old_decrypt.c (working copy) +@@ -45,8 +45,10 @@ + blocksize = enc->block_size; + hashsize = hash->hashsize; + ++ /* Verify input and output lengths. */ ++ if (input->length < blocksize + hashsize || input->length % blocksize != 0) ++ return(KRB5_BAD_MSIZE); + plainsize = input->length - blocksize - hashsize; +- + if (arg_output->length < plainsize) + return(KRB5_BAD_MSIZE); + |