[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SRM] update request for krb5 for significant interop and security issues




Hi.
I'd like permission to upload the following patch to  s-p-u.
I've coordinated with the security team for the security issues and our
mutual agreement is that they should be addressed in a point release.

diff --git a/debian/changelog b/debian/changelog
index 27673a6..13cea43 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,19 @@
+krb5 (1.8.3+dfsg-4squeeze1) stable; urgency=low
+
+  * Fix double free with pkinit on KDC, CVE-2011-0284, Closes: #618517
+  * Updated Danish debconf translations, thanks  Joe Dalton, Closes:
+    #584282
+  * KDC/LDAP DOS    (CVE-2010-4022, CVE-2011-0281, and CVE-2011-0282,
+    Closes: #613487
+  * Fix delegation of credentials against Windows servers; significant
+    interoperability issue, Closes: #611906
+  * Set nt-srv-inst on TGS names to work against W2K8R2 KDCs, Closes:
+    #616429
+  * Don't fail authentication when PAC verification fails; support hmac-
+    md5 checksums even for non-RC4 keys, Closes: #616728
+
+ -- Sam Hartman <hartmans@debian.org>  Wed, 16 Mar 2011 11:52:06 -0400
+
 krb5 (1.8.3+dfsg-4) unstable; urgency=medium
 
   * Ignore PACs without a server signature generated by OS X Open
diff --git a/debian/po/da.po b/debian/po/da.po
index 11c207a..1a66e29 100644
--- a/debian/po/da.po
+++ b/debian/po/da.po
@@ -1,33 +1,26 @@
-#
-#    Translators, if you are not familiar with the PO format, gettext
-#    documentation is worth reading, especially sections dedicated to
-#    this format, e.g. by running:
-#         info -n '(gettext)PO Files'
-#         info -n '(gettext)Header Entry'
-#    Some information specific to po-debconf are available at
-#            /usr/share/doc/po-debconf/README-trans
-#         or http://www.debian.org/intl/l10n/po-debconf/README-trans#
-#    Developers do not need to manually edit POT or PO files.
-#
+# Dansih translation krb5.
+# Copyright (C) 2010 krb5 & nedenstående oversættere.
+# This file is distributed under the same license as the krb5 package.
 # Claus Hindsgaul <claus_h@image.dk>, 2006.
+# Joe Hansen <joedalton2@yahoo.dk>, 2010.
+#
 msgid ""
 msgstr ""
 "Project-Id-Version: krb5\n"
 "Report-Msgid-Bugs-To: krb5@packages.debian.org\n"
 "POT-Creation-Date: 2009-02-21 13:55-0500\n"
-"PO-Revision-Date: 2006-01-26 21:55+0100\n"
-"Last-Translator: Claus Hindsgaul <claus_h@image.dk>\n"
-"Language-Team: Danish <dansk@klid.dk>\n"
+"PO-Revision-Date: 2010-06-02 17:30+01:00\n"
+"Last-Translator: Joe Hansen <joedalton2@yahoo.dk>\n"
+"Language-Team: Danish <debian-l10n-danish@lists.debian.org> \n"
 "MIME-Version: 1.0\n"
-"Content-Type: text/plain; charset=ISO-8859-1\n"
+"Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"X-Generator: KBabel 1.11.1\n"
 
 #. Type: note
 #. Description
 #: ../krb5-admin-server.templates:2001
 msgid "Setting up a Kerberos Realm"
-msgstr "Sætter et Kerberos-rige op"
+msgstr "Sætter et Kerberos-rige op"
 
 #. Type: note
 #. Description
@@ -36,6 +29,8 @@ msgid ""
 "This package contains the administrative tools required to run the Kerberos "
 "master server."
 msgstr ""
+"Denne pakke indeholder de administrative værktøjer krævet til at køre "
+"Kerberos' masterserver."
 
 #. Type: note
 #. Description
@@ -44,6 +39,9 @@ msgid ""
 "However, installing this package does not automatically set up a Kerberos "
 "realm.  This can be done later by running the \"krb5_newrealm\" command."
 msgstr ""
+"Installation af denne pakke medfører dog ikke automatisk, at et "
+"Kerberos-rige bliver sat op. Dette kan gøres senere ved at køre kommandoen "
+"»krb5_newrealm«."
 
 #. Type: note
 #. Description
@@ -52,13 +50,14 @@ msgid ""
 "Please also read the /usr/share/doc/krb5-kdc/README.KDC file and the "
 "administration guide found in the krb5-doc package."
 msgstr ""
+"Læs venligst også filen /usr/share/doc/krb5-kdc/README.KDC og "
+"administrationsvejledningen, der kan ses i pakken krb5-doc."
 
 #. Type: boolean
 #. Description
 #: ../krb5-admin-server.templates:3001
-#, fuzzy
 msgid "Run the Kerberos V5 administration daemon (kadmind)?"
-msgstr "Skal Kerberos5-administrationsdæmonen (kadmind) køres?"
+msgstr "Skal administrationsdæmonen Kerberos5 (kadmind) køres?"
 
 #. Type: boolean
 #. Description
@@ -67,6 +66,8 @@ msgid ""
 "Kadmind serves requests to add/modify/remove principals in the Kerberos "
 "database."
 msgstr ""
+"Kadmindservere anmoder om at tilføje/ændre/fjerne vigtige ting i "
+"kerberosdatabasen."
 
 #. Type: boolean
 #. Description
@@ -75,13 +76,14 @@ msgid ""
 "It is required by the kpasswd program, used to change passwords.  With "
 "standard setups, this daemon should run on the master KDC."
 msgstr ""
+"Den er krævet af kpasswd-programmet, brugt til at ændre adgangskoder. "
+"Med standardopsætning, skal denne dæmon køre på master-KDC'en."
 
 #. Type: boolean
 #. Description
 #: ../krb5-kdc.templates:2001
-#, fuzzy
 msgid "Create the Kerberos KDC configuration automatically?"
-msgstr "Opret Kerberos KDC-opsætning med debconf?"
+msgstr "Opret automatisk Kerberos KDC-konfigurationen?"
 
 #. Type: boolean
 #. Description
@@ -90,6 +92,8 @@ msgid ""
 "The Kerberos Key Distribution Center (KDC) configuration files, in /etc/"
 "krb5kdc, may be created automatically."
 msgstr ""
+"Konfigurationsfilerne for Kerberos Key Distribution Center (KDC) i /etc/"
+"krb5kdc, kan oprettes automatisk."
 
 #. Type: boolean
 #. Description
@@ -98,6 +102,8 @@ msgid ""
 "By default, an example template will be copied into this directory with "
 "local parameters filled in."
 msgstr ""
+"Som standard vil en eksempelskabelon blive kopieret ind i denne mappe med "
+"lokale parametre udfyldt."
 
 #. Type: boolean
 #. Description
@@ -106,28 +112,27 @@ msgid ""
 "Administrators who already have infrastructure to manage their Kerberos "
 "configuration may wish to disable these automatic configuration changes."
 msgstr ""
+"Administratorer, som allerede har infrastruktur til håndtering af deres "
+"Kerberoskonfiguration, vil måske ønske at deaktivere disse automatiske "
+"konfigurationsændringer."
 
 #. Type: boolean
 #. Description
 #: ../krb5-kdc.templates:3001
 msgid "Should the KDC database be deleted?"
-msgstr ""
+msgstr "Skal KDC-databasen slettes?"
 
 #. Type: boolean
 #. Description
 #: ../krb5-kdc.templates:3001
-#, fuzzy
 msgid ""
 "By default, removing this package will not delete the KDC database in /var/"
 "lib/krb5kdc/principal since this database cannot be recovered once it is "
 "deleted."
 msgstr ""
 "Som udgangspunkt vil KDC-databasen i /var/lib/krb5kdc/principal ikke blive "
-"slettet, når pakken afinstalleres, da denne database ikke kan genskabes, når "
-"den er slettet. Hvis du ønsker at slette din KDC-database, når denne pakke "
-"afinstalleres, vel vidende at  det betyder at alle dine brugerkonti og "
-"adgangskoder i KDC'en dermed bliver slettet ved afinstallation, skal du "
-"aktivere denne indstilling."
+"slettet, når pakken afinstalleres, da denne database ikke kan genskabes, når "
+"den er slettet."
 
 #. Type: boolean
 #. Description
@@ -136,94 +141,6 @@ msgid ""
 "Choose this option if you wish to delete the KDC database now, deleting all "
 "of the user accounts and passwords in the KDC."
 msgstr ""
+"Vælg denne indstilling hvis du ønsker at slette KDC-databasen nu, dermed "
+"slettes alle brugerkonti og adgangskoder i KDC'en."
 
-#, fuzzy
-#~ msgid "Kerberos V4 compatibility mode to use:"
-#~ msgstr "Kerberos4-kompatibilitetstilstand, der skal benyttes:"
-
-#, fuzzy
-#~ msgid ""
-#~ "By default, Kerberos V4 requests are allowed from principals that do not "
-#~ "require preauthentication (\"nopreauth\").  This allows Kerberos V4 "
-#~ "services to exist while requiring most users to use Kerberos V5 clients "
-#~ "to get their initial tickets.  These tickets can then be converted to "
-#~ "Kerberos V4 tickets."
-#~ msgstr ""
-#~ "Som udgangspunkt tillades Kerberos4-forespørgsler fra elementer, der ikke "
-#~ "kræver præ-autentifikation. Det vil gøre det muligt at bevare Kerberos4-"
-#~ "services, mens de fleste brugere tvinges til at bruge Kerberos5-klienter "
-#~ "til at opnå deres første billetter. Disse billetter kan derefter omsættes "
-#~ "til Kerberos4-billeter. Alternativt kan man vælge fuld tilstand, som "
-#~ "tillader Kerberos4 at få de første billetter, selvom præautentifikation "
-#~ "normalt ville have været påkrævet, eller vælge at deaktivere, hvilket vil "
-#~ "deaktivere al understøttelse af Kerberos4."
-
-#~ msgid "Should the data be purged as well as the package files?"
-#~ msgstr "Skal data slettes, når pakkens afinstalleres?"
-
-#~ msgid ""
-#~ "This package contains the administrative tools necessary to run on the "
-#~ "Kerberos master server.  However, installing this package does not "
-#~ "automatically set up a Kerberos realm.  Doing so requires entering "
-#~ "passwords and as such is not well-suited for package installation.  To "
-#~ "create the realm, run the krb5_newrealm command. You may also wish to "
-#~ "read /usr/share/doc/krb5-kdc/README.KDC and the administration guide "
-#~ "found in the krb5-doc package."
-#~ msgstr ""
-#~ "Denne pakke indeholder de nødvendige administrationsværktøjer til kørsel "
-#~ "på Kerberos-hovedserveren. Installationen af denne pakke sætter dog ikke "
-#~ "automatisk et Kerberos-rige ('realm') op. Det kræver indtastning af "
-#~ "adgangskoder, hvilket ikke egner sig til pakkeinstallationen. For at "
-#~ "oprette riget, skal du udføre kommandoen krb5_newrealm. Du kan også læse /"
-#~ "usr/share/doc/krb5-kdc/README.KDC og administrationsguiden i pakken krb5-"
-#~ "doc."
-
-#~ msgid ""
-#~ "Don't forget to set up DNS information so your clients can find your KDC "
-#~ "and admin servers.  Doing so is documented in the administration guide."
-#~ msgstr ""
-#~ "Glem ikke at sætte DNS-oplysningerne op, så dine klienter kan finde dine "
-#~ "KDC- og admin-servere. Fremgangsmåden er dokumenteret i "
-#~ "administrationsguiden."
-
-#~ msgid ""
-#~ "Kadmind serves requests to add/modify/remove principals in the Kerberos "
-#~ "database.  It also must be running for the kpasswd program to be used to "
-#~ "change passwords.  Normally, this daemon runs on the master KDC."
-#~ msgstr ""
-#~ "Kadmind håndterer forespørgsler om at tilføje/ændre/fjerne elementer i "
-#~ "Kerberos-databasen. Den skal køre for at kpasswd-programmet kan benyttes "
-#~ "til at ændre adgangskoder. Normalt kører denne dæmon på hoved-KDC'en."
-
-#~ msgid ""
-#~ "Many sites will wish to have this script automatically create Kerberos "
-#~ "KDC configuration files in /etc/krb5kdc.  By default an example template "
-#~ "will be copied into this directory with local parameters filled in.  Some "
-#~ "sites who already have infrastructure to manage their own Kerberos "
-#~ "configuration will wish to disable any automatic configuration changes."
-#~ msgstr ""
-#~ "Mange vil vælge at lade dette script oprette Kerberos KDC-opsætningsfiler "
-#~ "i /etc/krb5kdc automatisk. Som udgangspunkt vil en eksempel-skabelon "
-#~ "blive kopieret til denne mappe med lokale paremetre udfyldt på forhånd. "
-#~ "Dem, der allerede har infrastruktur til at håndtere deres egen Kerberos-"
-#~ "opsætning, kan vælge at deaktivere alle automatiske ænderinger i "
-#~ "opsætningen."
-
-#~ msgid "disable, full, nopreauth, none"
-#~ msgstr "deaktivér, fuld, ejpræaut, ingen"
-
-#~ msgid "Run a krb524d?"
-#~ msgstr "Kør en krb524d?"
-
-#~ msgid ""
-#~ "Krb524d is a daemon that converts Kerberos5 tickets into Kerberos4 "
-#~ "tickets for the krb524init program.  If you have Kerberos4 enabled at "
-#~ "all, then you probably want to run this program.  Especially when "
-#~ "Kerberos4 compatibility is set to nopreauth, krb524d is important if you "
-#~ "have any Kerberos4 services."
-#~ msgstr ""
-#~ "Krb524d er en dæmon, der omsætter Kerberos5-billetter til Kerberos4-"
-#~ "billetter til programmet krb524init. Hvis du overhovedet har aktiveret "
-#~ "Kerberos4, skal du sikkert køre dette program. krb524d er især vigtig, "
-#~ "hvis Kerberos4-kompatibiliteten er sat til ejpræaut, og du har Kerberos4-"
-#~ "services kørende."
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 3924297..4eb752c 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -784,6 +784,8 @@ prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                 }
             krb5_free_typed_data(kdc_context, td);
         }
diff --git a/src/lib/crypto/krb/checksum/hmac_md5.c b/src/lib/crypto/krb/checksum/hmac_md5.c
index 4812907..784b746 100644
--- a/src/lib/crypto/krb/checksum/hmac_md5.c
+++ b/src/lib/crypto/krb/checksum/hmac_md5.c
@@ -52,7 +52,7 @@ krb5_error_code krb5int_hmacmd5_checksum(const struct krb5_cksumtypes *ctp,
         return KRB5_BAD_ENCTYPE;
     if (ctp->ctype == CKSUMTYPE_HMAC_MD5_ARCFOUR) {
 	/* Compute HMAC(key, "signaturekey\0") to get the signing key ks. */
-	ret = alloc_data(&ds, key->keyblock.length);
+        ret = alloc_data(&ds, ctp->hash->hashsize);
 	if (ret != 0)
 	    goto cleanup;
 
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index e3358b8..8b6ba20 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -234,9 +234,7 @@ struct gss_checksum_data {
     krb5_data checksum_data;
 };
 
-#ifdef CFX_EXERCISE
 #include "../../krb5/krb/auth_con.h"
-#endif
 static krb5_error_code KRB5_CALLCONV
 make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
                    void *cksum_data, krb5_data **out)
@@ -247,6 +245,7 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
     struct gss_checksum_data *data = cksum_data;
     krb5_data credmsg;
     unsigned int junk;
+    krb5_key send_subkey;
 
     data->checksum_data.data = 0;
     credmsg.data = 0;
@@ -262,13 +261,22 @@ make_gss_checksum (krb5_context context, krb5_auth_context auth_context,
 
         assert(data->cred->name != NULL);
 
+        /*
+         * RFC 4121 4.1.1 specifies forwarded credentials must be encrypted in
+         * the session key, but krb5_fwd_tgt_creds will use the send subkey if
+         * it's set in the auth context.  Null out the send subkey temporarily.
+         */
+        send_subkey = auth_context->send_subkey;
+        auth_context->send_subkey = NULL;
+
         code = krb5_fwd_tgt_creds(context, auth_context, 0,
                                   data->cred->name->princ, data->ctx->there->princ,
                                   data->cred->ccache, 1,
                                   &credmsg);
 
-        /* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
+        /* Turn KRB5_AUTH_CONTEXT_DO_TIME back on and reset the send subkey. */
         krb5_auth_con_setflags(context, auth_context, con_flags);
+        auth_context->send_subkey = send_subkey;
 
         if (code) {
             /* don't fail here; just don't accept/do the delegation
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index e46e7ac..15619a8 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -1023,8 +1023,19 @@ build_in_tkt_name(krb5_context context,
                                        client->realm.length,
                                        client->realm.data,
                                        0);
+        if (ret)
+            return ret;
     }
-    return ret;
+    /*
+     * Windows Server 2008 R2 RODC insists on TGS principal names having the
+     * right name type.
+     */
+    if (krb5_princ_size(context, *server) == 2 &&
+        data_eq_string(*krb5_princ_component(context, *server, 0),
+                       KRB5_TGS_NAME)) {
+        krb5_princ_type(context, *server) = KRB5_NT_SRV_INST;
+    }
+    return 0;
 }
 
 void KRB5_CALLCONV
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 50b2969..d89c380 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -684,16 +684,8 @@ krb5_pac_verify(krb5_context context,
         return EINVAL;
 
     ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret == ENOENT) {
-        /*
-         * Apple Mac OS X Server Open Directory KDC (at least 10.6)
-         * appears to provide a PAC that lacks a server checksum.
-         */
-        pac->verified = FALSE;
-        return ret;
-    } else if (ret != 0) {
+    if (ret != 0)
         return ret;
-    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -1095,35 +1087,18 @@ mspac_verify(krb5_context kcontext,
     if (pacctx->pac == NULL)
         return EINVAL;
 
-    code = krb5_pac_verify(kcontext,
-                           pacctx->pac,
+    code = krb5_pac_verify(kcontext, pacctx->pac,
                            req->ticket->enc_part2->times.authtime,
-                           req->ticket->enc_part2->client,
-                           key,
-                           NULL);
+                           req->ticket->enc_part2->client, key, NULL);
 
     /*
-     * If the server checksum is not found, return success to
-     * krb5int_authdata_verify() to work around an apparent Open
-     * Directory bug.  Non-verified PACs won't be returned by
-     * mspac_get_attribute().
+     * If the above verification failed, don't fail the whole authentication,
+     * just don't mark the PAC as verified.  A checksum mismatch can occur if
+     * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple
+     * Mac OS X Server Open Directory (as of 10.6) generates PACs with no
+     * server checksum at all.
      */
-    if (code == ENOENT && !pacctx->pac->verified) {
-        code = 0;
-    }
-
-#if 0
-    /*
-     * Now, we could return 0 and just set pac->verified to FALSE.
-     * Thoughts?
-     */
-    if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
-        assert(pacctx->pac->verified == FALSE);
-        code = 0;
-    }
-#endif
-
-    return code;
+    return 0;
 }
 
 static void
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
index 1ca09b4..60caf3d 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h
@@ -102,14 +102,18 @@ extern void prepend_err_str (krb5_context ctx, const char *s, krb5_error_code er
 #define LDAP_SEARCH(base, scope, filter, attrs)   LDAP_SEARCH_1(base, scope, filter, attrs, CHECK_STATUS)
 
 #define LDAP_SEARCH_1(base, scope, filter, attrs, status_check)         \
-    do {                                                                \
-        st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL, NULL, &timelimit, LDAP_NO_LIMIT, &result); \
-        if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
-            tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle); \
-            if (ldap_server_handle)                                     \
-                ld = ldap_server_handle->ldap_handle;                   \
-        }                                                               \
-    }while (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR && tempst == 0); \
+    tempst = 0;                                                         \
+    st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0, NULL,     \
+                           NULL, &timelimit, LDAP_NO_LIMIT, &result);   \
+    if (translate_ldap_error(st, OP_SEARCH) == KRB5_KDB_ACCESS_ERROR) { \
+        tempst = krb5_ldap_rebind(ldap_context, &ldap_server_handle);   \
+        if (ldap_server_handle)                                         \
+            ld = ldap_server_handle->ldap_handle;                       \
+        if (tempst == 0)                                                \
+            st = ldap_search_ext_s(ld, base, scope, filter, attrs, 0,   \
+                                   NULL, NULL, &timelimit,              \
+                                   LDAP_NO_LIMIT, &result);             \
+    }                                                                   \
                                                                         \
     if (status_check != IGNORE_STATUS) {                                \
         if (tempst != 0) {                                              \
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
index 82b0333..84e80ee 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c
@@ -302,6 +302,7 @@ krb5_ldap_rebind(krb5_ldap_context *ldap_context,
 {
     krb5_ldap_server_handle     *handle = *ldap_server_handle;
 
+    ldap_unbind_ext_s(handle->ldap_handle, NULL, NULL);
     if ((ldap_initialize(&handle->ldap_handle, handle->server_info->server_name) != LDAP_SUCCESS)
         || (krb5_ldap_bind(ldap_context, handle) != LDAP_SUCCESS))
         return krb5_ldap_request_next_handle_from_pool(ldap_context, ldap_server_handle);
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
index f549e23..b70940f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c
@@ -446,12 +446,11 @@ is_principal_in_realm(krb5_ldap_context *ldap_context,
      * portion, then the first portion of the principal name SHOULD be
      * "krbtgt".  All this check is done in the immediate block.
      */
-    if (searchfor->length == 2)
-        if ((strncasecmp(searchfor->data[0].data, "krbtgt",
-                         FIND_MAX(searchfor->data[0].length, strlen("krbtgt"))) == 0) &&
-            (strncasecmp(searchfor->data[1].data, defrealm,
-                         FIND_MAX(searchfor->data[1].length, defrealmlen)) == 0))
+    if (searchfor->length == 2) {
+        if (data_eq_string(searchfor->data[0], "krbtgt") &&
+            data_eq_string(searchfor->data[1], defrealm))
             return 0;
+    }
 
     /* first check the length, if they are not equal, then they are not same */
     if (strlen(defrealm) != searchfor->realm.length)
diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index 7ad31da..626ed1f 100644
--- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -103,10 +103,10 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
                         unsigned int flags, krb5_db_entry *entries,
                         int *nentries, krb5_boolean *more)
 {
-    char                        *user=NULL, *filter=NULL, **subtree=NULL;
+    char                        *user=NULL, *filter=NULL, *filtuser=NULL;
     unsigned int                tree=0, ntrees=1, princlen=0;
     krb5_error_code             tempst=0, st=0;
-    char                        **values=NULL, *cname=NULL;
+    char                        **values=NULL, **subtree=NULL, *cname=NULL;
     LDAP                        *ld=NULL;
     LDAPMessage                 *result=NULL, *ent=NULL;
     krb5_ldap_context           *ldap_context=NULL;
@@ -142,12 +142,18 @@ krb5_ldap_get_principal(krb5_context context, krb5_const_principal searchfor,
     if ((st=krb5_ldap_unparse_principal_name(user)) != 0)
         goto cleanup;
 
-    princlen = strlen(FILTER) + strlen(user) + 2 + 1;      /* 2 for closing brackets */
+    filtuser = ldap_filter_correct(user);
+    if (filtuser == NULL) {
+        st = ENOMEM;
+        goto cleanup;
+    }
+
+    princlen = strlen(FILTER) + strlen(filtuser) + 2 + 1;  /* 2 for closing brackets */
     if ((filter = malloc(princlen)) == NULL) {
         st = ENOMEM;
         goto cleanup;
     }
-    snprintf(filter, princlen, FILTER"%s))", user);
+    snprintf(filter, princlen, FILTER"%s))", filtuser);
 
     if ((st = krb5_get_subtree_info(ldap_context, &subtree, &ntrees)) != 0)
         goto cleanup;
@@ -231,6 +237,9 @@ cleanup:
     if (user)
         free(user);
 
+    if (filtuser)
+        free(filtuser);
+
     if (cname)
         free(cname);
 
diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c
index ef43e4a..bf6bdad 100644
--- a/src/slave/kpropd.c
+++ b/src/slave/kpropd.c
@@ -398,11 +398,11 @@ retry:
             }
 
             close(s);
-            if (iproprole == IPROP_SLAVE)
+            if (iproprole == IPROP_SLAVE) {
                 close(finet);
-
-            if ((ret = WEXITSTATUS(status)) != 0)
-                return (ret);
+                if ((ret = WEXITSTATUS(status)) != 0)
+                    return (ret);
+            }
         }
         if (iproprole == IPROP_SLAVE)
             break;

Attachment: pgp5ADEt7x8tr.pgp
Description: PGP signature


Reply to: