[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Accumulated patches

Chris Chiappa <griffon+heimdal-discuss@snurgle.org> writes:

> Since these seem to not have made it into 0.3f final I've made an
> accumulated diff.

We're not always very fast when it comes to feedback.

> * ktutil list of an empty keytab segfaults.  To reproduce:
>   ktutil --keytab=krb4:/dev/null list

Fixed, but slightly different.

> * kinit can convert to v4 when renewing v5 tickets (me) and the
> --524convert switch for kinit to convert from v5 to v4 without any
> other actions (Derrick Brashear)

I have some similar changes, that does more. I'll try to finish them
in not too long.

> * kinit warns of errors with v4 ticket files

Will include.

> * A tweak in gssapi/verify_mic.c which prevents the Krb5 patches for Openssh
> ( http://www.sxw.org.uk/computing/patches/openssh.html ) from segfaulting.

I think we fixed this differently.

It's always (as far as I can tell) wrong to use a key different from
the remote subkey when verifying remote packets. We should have set
the remote subkey in krb5_rd_rep, and do now. So the remote subkey
should now be the correct one, also for clients in mutual mode. The
relevant patch for rd_rep looks like:

--- rd_rep.c    2001/05/14 06:14:50     1.21
+++ rd_rep.c    2001/06/18 02:13:34
@@ -97,7 +97,10 @@
     goto out;
   if ((*repl)->seq_number)
-    auth_context->remote_seqnumber = *((*repl)->seq_number);
+      krb5_auth_con_setremoteseqnumber(context, auth_context,
+                                      *((*repl)->seq_number));
+  if ((*repl)->subkey)
+    krb5_auth_con_setremotesubkey(context, auth_context, (*repl)->subkey);
   krb5_data_free (&data);

Can perhaps Derrick verify that this does what he wants?

> * A change to convert_creds which makes v4 tickets useful with
> renewable v5 tickets (like MIT behavior).

Fixed. Now also API-compatible with MIT.

> * A couple of implicit decls in telnet (harmless)

These should be in 0.3f.