From 2ab4f3c35681f229c566a289df07064c9d8b69b1 Mon Sep 17 00:00:00 2001 From: Seemant Kulleen Date: Tue, 3 Apr 2007 20:19:13 +0000 Subject: [PATCH] Fixes for 3 security bugs. See bug #171889 for full details. Also, fixed bug #164703 by GNUtoo -- we now create a /var/lib/krb5kdc directory so that a kdc database is created more easily Package-Manager: portage-2.1.2.3 --- app-crypt/mit-krb5/ChangeLog | 12 +- app-crypt/mit-krb5/Manifest | 37 +- .../mit-krb5/files/digest-mit-krb5-1.5.2-r1 | 3 + .../files/mit-krb5-SA-2007-001-telnetd.patch | 56 ++ .../files/mit-krb5-SA-2007-002-syslog.patch | 857 ++++++++++++++++++ .../mit-krb5/files/mit-krb5-SA-2007-003.patch | 16 + app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild | 100 ++ 7 files changed, 1066 insertions(+), 15 deletions(-) create mode 100644 app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1 create mode 100644 app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch create mode 100644 app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch create mode 100644 app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch create mode 100644 app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild diff --git a/app-crypt/mit-krb5/ChangeLog b/app-crypt/mit-krb5/ChangeLog index 38218deab590..afefa04781f9 100644 --- a/app-crypt/mit-krb5/ChangeLog +++ b/app-crypt/mit-krb5/ChangeLog @@ -1,6 +1,16 @@ # ChangeLog for app-crypt/mit-krb5 # Copyright 1999-2007 Gentoo Foundation; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.146 2007/01/15 18:55:34 kloeri Exp $ +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/ChangeLog,v 1.147 2007/04/03 20:19:13 seemant Exp $ + +*mit-krb5-1.5.2-r1 (03 Apr 2007) + + 03 Apr 2007; Seemant Kulleen + +files/mit-krb5-SA-2007-001-telnetd.patch, + +files/mit-krb5-SA-2007-002-syslog.patch, + +files/mit-krb5-SA-2007-003.patch, +mit-krb5-1.5.2-r1.ebuild: + Fixes for 3 security bugs. See bug #171889 for full details. Also, fixed bug + #164703 by GNUtoo -- we now create a /var/lib/krb5kdc directory so that a + kdc database is created more easily 15 Jan 2007; Bryan Østergaard mit-krb5-1.5.2.ebuild: Stable on Alpha, bug 158810. diff --git a/app-crypt/mit-krb5/Manifest b/app-crypt/mit-krb5/Manifest index ddecb1aa36e9..cd1baa6cc09b 100644 --- a/app-crypt/mit-krb5/Manifest +++ b/app-crypt/mit-krb5/Manifest @@ -1,6 +1,3 @@ ------BEGIN PGP SIGNED MESSAGE----- -Hash: SHA1 - AUX kdc.conf 438 RMD160 c2f29dba3a0b270a5b219741d1ffad07dd62951d SHA1 25b204242b114ec6413355de6064ba3adad0e66c SHA256 ad7507da8acfb7d8a37ca83f414e5eb25faf4374a879a48c7af6cdd8fb5ae113 MD5 186bd4cbeff944079f44105d4c962c80 files/kdc.conf 438 RMD160 c2f29dba3a0b270a5b219741d1ffad07dd62951d files/kdc.conf 438 @@ -21,6 +18,18 @@ AUX mit-krb5-1.4.3-setuid.patch 7066 RMD160 5d9b862ed554cf63d567dbfb4f4308b8771e MD5 161af87937e59b10d0d1cb0ab771cb19 files/mit-krb5-1.4.3-setuid.patch 7066 RMD160 5d9b862ed554cf63d567dbfb4f4308b8771eeb89 files/mit-krb5-1.4.3-setuid.patch 7066 SHA256 334f4aeb83f79206829ac588ac2919fa2730a6524c1041fe5a3915c986c1ab3c files/mit-krb5-1.4.3-setuid.patch 7066 +AUX mit-krb5-SA-2007-001-telnetd.patch 2089 RMD160 66d230ad48d4a5292520579de63778d06357fbac SHA1 1e1c4c184caf3be7480f7bf4797bedcd05042de1 SHA256 edd4de87ad2f01c6d07f49101ecb6e7853a2979ef23c8496ac833f7dfaedede7 +MD5 60d3143180d1eab444bb5a64bc045420 files/mit-krb5-SA-2007-001-telnetd.patch 2089 +RMD160 66d230ad48d4a5292520579de63778d06357fbac files/mit-krb5-SA-2007-001-telnetd.patch 2089 +SHA256 edd4de87ad2f01c6d07f49101ecb6e7853a2979ef23c8496ac833f7dfaedede7 files/mit-krb5-SA-2007-001-telnetd.patch 2089 +AUX mit-krb5-SA-2007-002-syslog.patch 31119 RMD160 e9ca437400760ea2762b097b215702194c5b93bd SHA1 63e27604500874ff1a1fa4da8d537a0bde15c289 SHA256 0c36a81867c9ff3e761853d4f3d90cdfb41bfa7b665d7da05c5cd713443a4541 +MD5 3d61faafa1c2c44fc1f74fcc8781c059 files/mit-krb5-SA-2007-002-syslog.patch 31119 +RMD160 e9ca437400760ea2762b097b215702194c5b93bd files/mit-krb5-SA-2007-002-syslog.patch 31119 +SHA256 0c36a81867c9ff3e761853d4f3d90cdfb41bfa7b665d7da05c5cd713443a4541 files/mit-krb5-SA-2007-002-syslog.patch 31119 +AUX mit-krb5-SA-2007-003.patch 609 RMD160 bb6dbd8a850a5767e0812429f35acec56fa3084c SHA1 16f034b9044a8e31c7746fb97c05f1405b778f01 SHA256 300f666872407e196e1b2ed86812ddaa44dfd0cd53a4194260b43b88fb8c0133 +MD5 3e1a043cbe0971ab090112e3cc6ce85d files/mit-krb5-SA-2007-003.patch 609 +RMD160 bb6dbd8a850a5767e0812429f35acec56fa3084c files/mit-krb5-SA-2007-003.patch 609 +SHA256 300f666872407e196e1b2ed86812ddaa44dfd0cd53a4194260b43b88fb8c0133 files/mit-krb5-SA-2007-003.patch 609 AUX mit-krb5-lazyldflags.patch 509 RMD160 47515882e93e0db7db6980a4460a01f2cbc3f382 SHA1 db880ff82bd72afd2815a8e8d345c815c2769715 SHA256 272b3a18303b43c64bbcc1da9bcb7cd60d56337700d84c78741c7096c18044d5 MD5 ae7e2bde0b20e580f49d5a3c524b445b files/mit-krb5-lazyldflags.patch 509 RMD160 47515882e93e0db7db6980a4460a01f2cbc3f382 files/mit-krb5-lazyldflags.patch 509 @@ -55,14 +64,18 @@ EBUILD mit-krb5-1.4.3-r3.ebuild 2824 RMD160 7137c8e949c0d26f27b0f95d0ee69af70ccf MD5 435e0a893165a9d2ce572dfdd8ecc4c4 mit-krb5-1.4.3-r3.ebuild 2824 RMD160 7137c8e949c0d26f27b0f95d0ee69af70ccf6f51 mit-krb5-1.4.3-r3.ebuild 2824 SHA256 77e751eb6257efb5c1da814b509137020894702ed24a37b32e8a3d3a30c3da6d mit-krb5-1.4.3-r3.ebuild 2824 +EBUILD mit-krb5-1.5.2-r1.ebuild 2496 RMD160 df6bd7f33a4bfa228cd2e019b1188c6afe41680a SHA1 86286c0cda66fba6828916a05316d1144770c750 SHA256 4f684d5b07c4227414f95264705a58fb24a8c0ccd14af20391254ecf44f437ab +MD5 bfd51922172fd06fc0cd48b05f308ae2 mit-krb5-1.5.2-r1.ebuild 2496 +RMD160 df6bd7f33a4bfa228cd2e019b1188c6afe41680a mit-krb5-1.5.2-r1.ebuild 2496 +SHA256 4f684d5b07c4227414f95264705a58fb24a8c0ccd14af20391254ecf44f437ab mit-krb5-1.5.2-r1.ebuild 2496 EBUILD mit-krb5-1.5.2.ebuild 2312 RMD160 e389fba21cfc43195eef750b5dba35ce80c95f90 SHA1 ce53864ed7cd0a663b0c62c3436b55b2ba8b9cb7 SHA256 eb7a16668aa0f2b2d8104b19a6ab8cb3c4533af1da24b1387c8129802152a9d6 MD5 48eb0711f6eb3afbb07922b6aeb3a585 mit-krb5-1.5.2.ebuild 2312 RMD160 e389fba21cfc43195eef750b5dba35ce80c95f90 mit-krb5-1.5.2.ebuild 2312 SHA256 eb7a16668aa0f2b2d8104b19a6ab8cb3c4533af1da24b1387c8129802152a9d6 mit-krb5-1.5.2.ebuild 2312 -MISC ChangeLog 1690 RMD160 24a37526e9c91717f8b162f49d5c4b1b914b0c04 SHA1 33db0b980b47afcddbef300d887fc409af1fe567 SHA256 6f43c06677d35a361f41f7f2b5c2671e89ce0a263dc19ffb95ccb00f457cd294 -MD5 d257c94878d531f63cfb5db28511e65d ChangeLog 1690 -RMD160 24a37526e9c91717f8b162f49d5c4b1b914b0c04 ChangeLog 1690 -SHA256 6f43c06677d35a361f41f7f2b5c2671e89ce0a263dc19ffb95ccb00f457cd294 ChangeLog 1690 +MISC ChangeLog 2124 RMD160 a159fc2f618d5b600f13db1894c8a6b33faf2bb0 SHA1 82554205dc6a247c49dc9476baa5056bc7a8ff5c SHA256 cbc4dea79605b43ddde166e7d2766e2e33394cd0d78a160b672bb61d2aaa6399 +MD5 78b0cd65653b7fa3e53ec3956cd65ca6 ChangeLog 2124 +RMD160 a159fc2f618d5b600f13db1894c8a6b33faf2bb0 ChangeLog 2124 +SHA256 cbc4dea79605b43ddde166e7d2766e2e33394cd0d78a160b672bb61d2aaa6399 ChangeLog 2124 MISC metadata.xml 241 RMD160 4b15a3aa85942fcbab1c0afa871bd88c85acb001 SHA1 97dc5c2f74beed14ac9e171f36380370afae95be SHA256 119a622b44a5b38856cb9398389cf060f93a077b369161a5ab9a193234af763f MD5 f3ea9dd1d52f37139fbc4d101044f821 metadata.xml 241 RMD160 4b15a3aa85942fcbab1c0afa871bd88c85acb001 metadata.xml 241 @@ -73,10 +86,6 @@ SHA256 6dbbea82aa2ce1f7db8b21fa84eaa99e1fc045e2a4a4b6d175d27267f197c123 files/di MD5 371862c239b5066a8251dbf8ff99b193 files/digest-mit-krb5-1.5.2 250 RMD160 504add6e5e71afbb372c253d909440badbd342ac files/digest-mit-krb5-1.5.2 250 SHA256 3ef89096be30b4523fb82ca10ea1405dfe98f5cad6609b441514e878d05b8747 files/digest-mit-krb5-1.5.2 250 ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2.0.1 (GNU/Linux) - -iD8DBQFFq83augEuf3OQ0akRAt4EAJ9nLPfi4sda4hQagdgP1MzD00xBhQCdHb2B -pDQa0WlhQQIuReVwlQM6pHQ= -=TwxQ ------END PGP SIGNATURE----- +MD5 371862c239b5066a8251dbf8ff99b193 files/digest-mit-krb5-1.5.2-r1 250 +RMD160 504add6e5e71afbb372c253d909440badbd342ac files/digest-mit-krb5-1.5.2-r1 250 +SHA256 3ef89096be30b4523fb82ca10ea1405dfe98f5cad6609b441514e878d05b8747 files/digest-mit-krb5-1.5.2-r1 250 diff --git a/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1 b/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1 new file mode 100644 index 000000000000..acc96e7682b6 --- /dev/null +++ b/app-crypt/mit-krb5/files/digest-mit-krb5-1.5.2-r1 @@ -0,0 +1,3 @@ +MD5 4d1452f775281f5da62e8fde0b517692 krb5-1.5.2-signed.tar 10086400 +RMD160 b8eca92373155eac0661721f0c65777673d4654e krb5-1.5.2-signed.tar 10086400 +SHA256 1db46e506fbc0b1a274cb00c3fda5b5e4de832ce40c209e4f6603adcdf2e770e krb5-1.5.2-signed.tar 10086400 diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch new file mode 100644 index 000000000000..a4d361445470 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-001-telnetd.patch @@ -0,0 +1,56 @@ +diff -urN krb5-1.5.2.orig/src/appl/telnet/telnetd/state.c krb5-1.5.2/src/appl/telnet/telnetd/state.c +--- krb5-1.5.2.orig/src/appl/telnet/telnetd/state.c 2006-06-15 18:42:53.000000000 -0400 ++++ krb5-1.5.2/src/appl/telnet/telnetd/state.c 2007-03-28 18:05:19.000000000 -0400 +@@ -1665,7 +1665,8 @@ + strcmp(varp, "RESOLV_HOST_CONF") && /* linux */ + strcmp(varp, "NLSPATH") && /* locale stuff */ + strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */ +- strcmp(varp, "IFS")) { ++ strcmp(varp, "IFS") && ++ !strchr(varp, '-')) { + return 1; + } else { + syslog(LOG_INFO, "Rejected the attempt to modify the environment variable \"%s\"", varp); +diff -urN krb5-1.5.2.orig/src/appl/telnet/telnetd/sys_term.c krb5-1.5.2/src/appl/telnet/telnetd/sys_term.c +--- krb5-1.5.2.orig/src/appl/telnet/telnetd/sys_term.c 2002-11-15 15:21:51.000000000 -0500 ++++ krb5-1.5.2/src/appl/telnet/telnetd/sys_term.c 2007-03-28 18:10:59.000000000 -0400 +@@ -1287,6 +1287,16 @@ + #endif + #if defined (AUTHENTICATION) + if (auth_level >= 0 && autologin == AUTH_VALID) { ++ if (name[0] == '-') { ++ /* Authenticated and authorized to log in to an account ++ * starting with '-'? Even if that unlikely case comes ++ * to pass, the current program will not patse the ++ * resulting command line properly. ++ */ ++ syslog(LOG_ERR, "user name can not start with '-'"); ++ fatal(net, "user name can not start with '-'"); ++ exit(1); ++ } + # if !defined(NO_LOGIN_F) + #if defined(LOGIN_CAP_F) + argv = addarg(argv, "-F"); +@@ -1377,12 +1387,20 @@ + } else + #endif + if (getenv("USER")) { +- argv = addarg(argv, getenv("USER")); ++ char *user = getenv("USER"); ++ if (user[0] == '-') { ++ /* "telnet -l-x ..." */ ++ syslog(LOG_ERR, "user name cannot start with '-'"); ++ fatal(net, "user name cannot start with '-'"); ++ exit(1); ++ } ++ argv = addarg(argv, user); + #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) + { + register char **cpp; + for (cpp = environ; *cpp; cpp++) +- argv = addarg(argv, *cpp); ++ if ((*cpp[0] != '-') ++ argv = addarg(argv, *cpp); + } + #endif + /* diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch new file mode 100644 index 000000000000..3fb2211f657d --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-002-syslog.patch @@ -0,0 +1,857 @@ +diff -urN krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c +--- krb5-1.5.2.orig/src/kadmin/server/kadm_rpc_svc.c 2006-03-31 22:08:17.000000000 -0500 ++++ krb5-1.5.2/src/kadmin/server/kadm_rpc_svc.c 2007-03-28 18:17:57.000000000 -0400 +@@ -250,6 +250,8 @@ + krb5_data *c1, *c2, *realm; + gss_buffer_desc gss_str; + kadm5_server_handle_t handle; ++ size_t slen; ++ char *sdots; + + success = 0; + handle = (kadm5_server_handle_t)global_server_handle; +@@ -274,6 +276,9 @@ + if (ret == 0) + goto fail_name; + ++ slen = gss_str.length; ++ trunc_name(&slen, &sdots); ++ + /* + * Since we accept with GSS_C_NO_NAME, the client can authenticate + * against the entire kdb. Therefore, ensure that the service +@@ -296,8 +301,8 @@ + + fail_princ: + if (!success) { +- krb5_klog_syslog(LOG_ERR, "bad service principal %.*s", +- gss_str.length, gss_str.value); ++ krb5_klog_syslog(LOG_ERR, "bad service principal %.*s%s", ++ slen, gss_str.value, sdots); + } + gss_release_buffer(&min_stat, &gss_str); + krb5_free_principal(kctx, princ); +diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.c krb5-1.5.2/src/kadmin/server/misc.c +--- krb5-1.5.2.orig/src/kadmin/server/misc.c 2006-03-11 17:23:28.000000000 -0500 ++++ krb5-1.5.2/src/kadmin/server/misc.c 2007-03-28 18:19:44.000000000 -0400 +@@ -171,3 +171,12 @@ + + return kadm5_free_principal_ent(handle->lhandle, &princ); + } ++ ++#define MAXPRINCLEN 125 ++ ++void ++trunc_name(size_t *len, char **dots) ++{ ++ *dots = *len > MAXPRINCLEN ? "..." : ""; ++ *len = *len > MAXPRINCLEN ? MAXPRINCLEN : *len; ++} +diff -urN krb5-1.5.2.orig/src/kadmin/server/misc.h krb5-1.5.2/src/kadmin/server/misc.h +--- krb5-1.5.2.orig/src/kadmin/server/misc.h 2005-10-12 00:09:19.000000000 -0400 ++++ krb5-1.5.2/src/kadmin/server/misc.h 2007-03-28 18:20:15.000000000 -0400 +@@ -45,3 +45,5 @@ + #ifdef SVC_GETARGS + void kadm_1(struct svc_req *, SVCXPRT *); + #endif ++ ++void trunc_name(size_t *len, char **dots); +diff -urN krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c +--- krb5-1.5.2.orig/src/kadmin/server/ovsec_kadmd.c 2007-01-09 20:08:20.000000000 -0500 ++++ krb5-1.5.2/src/kadmin/server/ovsec_kadmd.c 2007-03-28 18:29:19.000000000 -0400 +@@ -989,6 +989,8 @@ + rpcproc_t proc; + int i; + const char *procname; ++ size_t clen, slen; ++ char *cdots, *sdots; + + client.length = 0; + client.value = NULL; +@@ -997,10 +999,20 @@ + + (void) gss_display_name(&minor, client_name, &client, &gss_type); + (void) gss_display_name(&minor, server_name, &server, &gss_type); +- if (client.value == NULL) +- client.value = "(null)"; +- if (server.value == NULL) +- server.value = "(null)"; ++ if (client.value == NULL) { ++ client.value = "(null)"; ++ clen = sizeof("(null)") - 1; ++ } else { ++ clen = client.length; ++ } ++ trunc_name(&clen, &cdots); ++ if (server.value == NULL) { ++ server.value = "(null)"; ++ slen = sizeof("(null)") - 1; ++ } else { ++ slen = server.length; ++ } ++ trunc_name(&slen, &sdots); + a = inet_ntoa(rqst->rq_xprt->xp_raddr.sin_addr); + + proc = msg->rm_call.cb_proc; +@@ -1013,14 +1025,14 @@ + } + if (procname != NULL) + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %s, " +- "claimed client = %s, server = %s, addr = %s", +- procname, client.value, +- server.value, a); ++ "claimed client = %.*s%s, server = %.*s%s, addr = %s", ++ procname, clen, client.value, cdots, ++ slen, server.value, sdots, a); + else + krb5_klog_syslog(LOG_NOTICE, "WARNING! Forged/garbled request: %d, " +- "claimed client = %s, server = %s, addr = %s", +- proc, client.value, +- server.value, a); ++ "claimed client = %.*s%s, server = %.*s%s, addr = %s", ++ proc, clen, client.value, cdots, ++ slen, server.value, sdots, a); + + (void) gss_release_buffer(&minor, &client); + (void) gss_release_buffer(&minor, &server); +diff -urN krb5-1.5.2.orig/src/kadmin/server/schpw.c krb5-1.5.2/src/kadmin/server/schpw.c +--- krb5-1.5.2.orig/src/kadmin/server/schpw.c 2006-04-13 14:58:56.000000000 -0400 ++++ krb5-1.5.2/src/kadmin/server/schpw.c 2007-03-28 18:29:11.000000000 -0400 +@@ -40,6 +40,8 @@ + int numresult; + char strresult[1024]; + char *clientstr; ++ size_t clen; ++ char *cdots; + + ret = 0; + rep->length = 0; +@@ -258,9 +260,12 @@ + free(ptr); + clear.length = 0; + +- krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %s: %s", ++ clen = strlen(clientstr); ++ trunc_name(&clen, &cdots); ++ krb5_klog_syslog(LOG_NOTICE, "chpw request from %s for %.*s%s: %s", + inet_ntoa(((struct sockaddr_in *)&remote_addr)->sin_addr), +- clientstr, ret ? krb5_get_error_message (context, ret) : "success"); ++ clen, clientstr, cdots, ++ ret ? krb5_get_error_message (context, ret) : "success"); + krb5_free_unparsed_name(context, clientstr); + + if (ret) { +diff -urN krb5-1.5.2.orig/src/kadmin/server/server_stubs.c krb5-1.5.2/src/kadmin/server/server_stubs.c +--- krb5-1.5.2.orig/src/kadmin/server/server_stubs.c 2006-04-13 14:58:56.000000000 -0400 ++++ krb5-1.5.2/src/kadmin/server/server_stubs.c 2007-03-28 21:03:41.000000000 -0400 +@@ -14,6 +14,7 @@ + #include /* inet_ntoa */ + #include /* krb5_klog_syslog */ + #include "misc.h" ++#include + + #define LOG_UNAUTH "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s" + #define LOG_DONE "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +@@ -237,6 +238,50 @@ + return 0; + } + ++static int ++log_unauth(char *op, char *target, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp) ++{ ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Unauthorized request: %s, %.*s%s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++} ++ ++static int ++log_done(char *op, char *target, char *errmsg, gss_buffer_t client, gss_buffer_t server, struct svc_req *rqstp) ++{ ++ size_t tlen, clen, slen; ++ char *tdots, *cdots, *sdots; ++ ++ tlen = strlen(target); ++ trunc_name(&tlen, &tdots); ++ clen = client->length; ++ trunc_name(&clen, &cdots); ++ slen = server->length; ++ trunc_name(&slen, &sdots); ++ ++ return krb5_klog_syslog(LOG_NOTICE, ++ "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s", ++ op, tlen, target, tdots, errmsg, ++ clen, client->value, cdots, ++ slen, server->value, sdots, ++ inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++} ++ + generic_ret * + create_principal_2_svc(cprinc_arg *arg, struct svc_req *rqstp) + { +@@ -275,9 +320,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_create_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal((void *)handle, + &arg->rec, arg->mask, +@@ -287,10 +331,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -341,9 +383,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_create_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_create_principal_3((void *)handle, + &arg->rec, arg->mask, +@@ -355,10 +396,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -406,9 +445,8 @@ + || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, + arg->princ, NULL)) { + ret.code = KADM5_AUTH_DELETE; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_delete_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_delete_principal((void *)handle, arg->princ); + if( ret.code == 0 ) +@@ -416,10 +454,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_delete_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -469,9 +505,8 @@ + || kadm5int_acl_impose_restrictions(handle->context, + &arg->rec, &arg->mask, rp)) { + ret.code = KADM5_AUTH_MODIFY; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_modify_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_modify_principal((void *)handle, &arg->rec, + arg->mask); +@@ -480,10 +515,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_modify_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + /* no need to check for NULL. Even if it is NULL, atleast error_code will be returned */ + } +@@ -546,9 +579,8 @@ + } else + ret.code = KADM5_AUTH_INSUFFICIENT; + if (ret.code != KADM5_OK) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_rename_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_rename_principal", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_rename_principal((void *)handle, arg->src, + arg->dest); +@@ -557,10 +589,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_rename_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_rename_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg1); +@@ -614,9 +644,8 @@ + arg->princ, + NULL))) { + ret.code = KADM5_AUTH_GET; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + } else { + if (handle->api_version == KADM5_API_VERSION_1) { + ret.code = kadm5_get_principal_v1((void *)handle, +@@ -636,11 +665,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +@@ -688,9 +714,8 @@ + NULL, + NULL)) { + ret.code = KADM5_AUTH_LIST; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_principals", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_get_principals", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_principals((void *)handle, + arg->exp, &ret.princs, +@@ -700,11 +725,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_principals", +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_principals", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + + } + free_server_handle(handle); +@@ -755,9 +777,8 @@ + ret.code = kadm5_chpass_principal((void *)handle, arg->princ, + arg->pass); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_chpass_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -767,10 +788,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_chpass_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -828,9 +847,8 @@ + arg->ks_tuple, + arg->pass); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_chpass_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_chpass_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -840,10 +858,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_chpass_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_chpass_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -892,9 +908,8 @@ + ret.code = kadm5_setv4key_principal((void *)handle, arg->princ, + arg->keyblock); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setv4key_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setv4key_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -904,10 +919,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setv4key_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setv4key_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -956,9 +969,8 @@ + ret.code = kadm5_setkey_principal((void *)handle, arg->princ, + arg->keyblocks, arg->n_keys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setkey_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -968,10 +980,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setkey_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -1023,9 +1033,8 @@ + arg->ks_tuple, + arg->keyblocks, arg->n_keys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_setkey_principal", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_setkey_principal", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_SETKEY; + } + +@@ -1035,10 +1044,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_setkey_principal", +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_setkey_principal", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + + free_server_handle(handle); +@@ -1097,9 +1104,8 @@ + ret.code = kadm5_randkey_principal((void *)handle, arg->princ, + &k, &nkeys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -1119,10 +1125,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +@@ -1185,9 +1189,8 @@ + arg->ks_tuple, + &k, &nkeys); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_CHANGEPW; + } + +@@ -1207,10 +1210,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- prime_arg, errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + free(prime_arg); +@@ -1253,9 +1254,8 @@ + rqst2name(rqstp), + ACL_ADD, NULL, NULL)) { + ret.code = KADM5_AUTH_ADD; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_create_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_create_policy", prime_arg, ++ &client_name, &service_name, rqstp); + + } else { + ret.code = kadm5_create_policy((void *)handle, &arg->rec, +@@ -1265,11 +1265,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_create_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_create_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1310,9 +1308,8 @@ + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_DELETE, NULL, NULL)) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_delete_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_delete_policy", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_DELETE; + } else { + ret.code = kadm5_delete_policy((void *)handle, arg->name); +@@ -1321,11 +1318,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_delete_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_delete_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1366,9 +1361,8 @@ + if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, + rqst2name(rqstp), + ACL_MODIFY, NULL, NULL)) { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_modify_policy", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_modify_policy", prime_arg, ++ &client_name, &service_name, rqstp); + ret.code = KADM5_AUTH_MODIFY; + } else { + ret.code = kadm5_modify_policy((void *)handle, &arg->rec, +@@ -1378,11 +1372,9 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_modify_policy", +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_modify_policy", ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1464,15 +1456,12 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, funcname, +- ((prime_arg == NULL) ? "(null)" : prime_arg), +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done(funcname, ++ ((prime_arg == NULL) ? "(null)" : prime_arg), errmsg, ++ &client_name, &service_name, rqstp); + } else { +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, funcname, +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth(funcname, prime_arg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1517,9 +1506,8 @@ + rqst2name(rqstp), + ACL_LIST, NULL, NULL)) { + ret.code = KADM5_AUTH_LIST; +- krb5_klog_syslog(LOG_NOTICE, LOG_UNAUTH, "kadm5_get_policies", +- prime_arg, client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_unauth("kadm5_get_policies", prime_arg, ++ &client_name, &service_name, rqstp); + } else { + ret.code = kadm5_get_policies((void *)handle, + arg->exp, &ret.pols, +@@ -1529,11 +1517,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_policies", +- prime_arg, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_policies", prime_arg, errmsg, ++ &client_name, &service_name, rqstp); + } + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1573,11 +1558,8 @@ + else + errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); + +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE, "kadm5_get_privs", +- client_name.value, +- errmsg, +- client_name.value, service_name.value, +- inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr)); ++ log_done("kadm5_get_privs", client_name.value, errmsg, ++ &client_name, &service_name, rqstp); + + free_server_handle(handle); + gss_release_buffer(&minor_stat, &client_name); +@@ -1594,6 +1576,8 @@ + kadm5_server_handle_t handle; + OM_uint32 minor_stat; + char *errmsg = 0; ++ size_t clen, slen; ++ char *cdots, *sdots; + + xdr_free(xdr_generic_ret, &ret); + +@@ -1611,13 +1595,21 @@ + } + + if (ret.code != 0) +- errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); +- krb5_klog_syslog(LOG_NOTICE, LOG_DONE ", flavor=%d", ++ errmsg = krb5_get_error_message(handle ? handle->context : NULL, ret.code); ++ else ++ errmsg = "success"; ++ ++ clen = client_name.length; ++ trunc_name(&clen, &cdots); ++ slen = service_name.length; ++ trunc_name(&slen, &sdots); ++ krb5_klog_syslog(LOG_NOTICE, "Request: %s, %.*s%s, %s, " ++ "client=%.*s%s, service=%.*s%s, addr=%s, flavor=%d", + (ret.api_version == KADM5_API_VERSION_1 ? + "kadm5_init (V1)" : "kadm5_init"), +- client_name.value, +- (ret.code == 0) ? "success" : errmsg, +- client_name.value, service_name.value, ++ clen, client_name.value, cdots, errmsg, ++ clen, client_name.value, cdots, ++ slen, service_name.value, sdots, + inet_ntoa(rqstp->rq_xprt->xp_raddr.sin_addr), + rqstp->rq_cred.oa_flavor); + gss_release_buffer(&minor_stat, &client_name); +diff -urN krb5-1.5.2.orig/src/kdc/do_tgs_req.c krb5-1.5.2/src/kdc/do_tgs_req.c +--- krb5-1.5.2.orig/src/kdc/do_tgs_req.c 2006-08-07 15:38:41.000000000 -0400 ++++ krb5-1.5.2/src/kdc/do_tgs_req.c 2007-03-28 21:08:52.000000000 -0400 +@@ -491,30 +491,40 @@ + newtransited = 1; + } + if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) { +- errcode = krb5_check_transited_list (kdc_context, ++ unsigned int tlen; ++ char *tdots; ++ ++ errcode = krb5_check_transited_list (kdc_context, + &enc_tkt_reply.transited.tr_contents, + krb5_princ_realm (kdc_context, header_ticket->enc_part2->client), + krb5_princ_realm (kdc_context, request->server)); +- if (errcode == 0) { +- setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); +- } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) +- krb5_klog_syslog (LOG_INFO, +- "bad realm transit path from '%s' to '%s' via '%.*s'", ++ tlen = enc_tkt_reply.transited.tr_contents.length; ++ tdots = tlen > 125 ? "..." : ""; ++ tlen = tlen > 125 ? 125 : tlen; ++ ++ if (errcode == 0) { ++ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED); ++ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT) ++ krb5_klog_syslog (LOG_INFO, ++ "bad realm transit path from '%s' to '%s' " ++ "via '%.*s%s'", + cname ? cname : "", + sname ? sname : "", +- enc_tkt_reply.transited.tr_contents.length, +- enc_tkt_reply.transited.tr_contents.data); +- else { +- char *emsg = krb5_get_error_message(kdc_context, errcode); +- krb5_klog_syslog (LOG_ERR, +- "unexpected error checking transit from '%s' to '%s' via '%.*s': %s", ++ tlen, ++ enc_tkt_reply.transited.tr_contents.data, ++ tdots); ++ else { ++ const char *emsg = krb5_get_error_message(kdc_context, errcode); ++ krb5_klog_syslog (LOG_ERR, ++ "unexpected error checking transit from " ++ "'%s' to '%s' via '%.*s%s': %s", + cname ? cname : "", + sname ? sname : "", +- enc_tkt_reply.transited.tr_contents.length, ++ tlen, + enc_tkt_reply.transited.tr_contents.data, +- emsg); ++ tdots, emsg); + krb5_free_error_message(kdc_context, emsg); +- } ++ } + } else + krb5_klog_syslog (LOG_INFO, "not checking transit path"); + if (reject_bad_transit +@@ -542,6 +552,9 @@ + if (!krb5_principal_compare(kdc_context, request->server, client2)) { + if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp))) + tmp = 0; ++ if (tmp != NULL) ++ limit_string(tmp); ++ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ %s: 2ND_TKT_MISMATCH: " + "authtime %d, %s for %s, 2nd tkt client %s", +@@ -816,6 +829,7 @@ + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing alternate TGT"); + } else { ++ limit_string(sname); + krb5_klog_syslog(LOG_INFO, + "TGS_REQ: issuing TGT %s", sname); + free(sname); +diff -urN krb5-1.5.2.orig/src/kdc/kdc_util.c krb5-1.5.2/src/kdc/kdc_util.c +--- krb5-1.5.2.orig/src/kdc/kdc_util.c 2004-02-12 23:20:56.000000000 -0500 ++++ krb5-1.5.2/src/kdc/kdc_util.c 2007-03-28 19:16:51.000000000 -0400 +@@ -404,6 +404,7 @@ + + krb5_db_free_principal(kdc_context, &server, nprincs); + if (!krb5_unparse_name(kdc_context, ticket->server, &sname)) { ++ limit_string(sname); + krb5_klog_syslog(LOG_ERR,"TGS_REQ: UNKNOWN SERVER: server='%s'", + sname); + free(sname); +diff -urN krb5-1.5.2.orig/src/lib/kadm5/logger.c krb5-1.5.2/src/lib/kadm5/logger.c +--- krb5-1.5.2.orig/src/lib/kadm5/logger.c 2006-05-31 23:18:19.000000000 -0400 ++++ krb5-1.5.2/src/lib/kadm5/logger.c 2007-03-28 19:20:15.000000000 -0400 +@@ -45,7 +45,7 @@ + #include + #endif /* HAVE_STDARG_H */ + +-#define KRB5_KLOG_MAX_ERRMSG_SIZE 1024 ++#define KRB5_KLOG_MAX_ERRMSG_SIZE 2048 + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 256 + #endif /* MAXHOSTNAMELEN */ +@@ -261,7 +261,9 @@ + #endif /* HAVE_SYSLOG */ + + /* Now format the actual message */ +-#if HAVE_VSPRINTF ++#if HAVE_VSNPRINTF ++ vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); ++#elif HAVE_VSPRINTF + vsprintf(cp, actual_format, ap); + #else /* HAVE_VSPRINTF */ + sprintf(cp, actual_format, ((int *) ap)[0], ((int *) ap)[1], +@@ -850,7 +852,9 @@ + syslogp = &outbuf[strlen(outbuf)]; + + /* Now format the actual message */ +-#ifdef HAVE_VSPRINTF ++#ifdef HAVE_VSNPRINTF ++ vsnprintf(syslogp, sizeof(outbuf) - (syslogp - outbuf), format, arglist); ++#elif HAVE_VSPRINTF + vsprintf(syslogp, format, arglist); + #else /* HAVE_VSPRINTF */ + sprintf(syslogp, format, ((int *) arglist)[0], ((int *) arglist)[1], diff --git a/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch new file mode 100644 index 000000000000..756a35073a91 --- /dev/null +++ b/app-crypt/mit-krb5/files/mit-krb5-SA-2007-003.patch @@ -0,0 +1,16 @@ +diff -urN krb5-1.5.2.old/src/lib/gssapi/krb5/k5unseal.c krb5-1.5.2/src/lib/gssapi/krb5/k5unseal.c +--- krb5-1.5.2.old/src/lib/gssapi/krb5/k5unseal.c 2006-05-09 07:31:02.000000000 -0400 ++++ krb5-1.5.2/src/lib/gssapi/krb5/k5unseal.c 2007-03-28 21:13:44.000000000 -0400 +@@ -457,8 +457,11 @@ + + if ((ctx->initiate && direction != 0xff) || + (!ctx->initiate && direction != 0)) { +- if (toktype == KG_TOK_SEAL_MSG) ++ if (toktype == KG_TOK_SEAL_MSG) { + xfree(token.value); ++ message_buffer->value = NULL; ++ message_buffer->length = 0; ++ } + *minor_status = G_BAD_DIRECTION; + return(GSS_S_BAD_SIG); + } diff --git a/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild b/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild new file mode 100644 index 000000000000..5c6f905dc733 --- /dev/null +++ b/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild @@ -0,0 +1,100 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-crypt/mit-krb5/mit-krb5-1.5.2-r1.ebuild,v 1.1 2007/04/03 20:19:13 seemant Exp $ + +inherit eutils flag-o-matic versionator autotools + +MY_P=${P/mit-} +P_DIR=$(get_version_component_range 1-2) +S=${WORKDIR}/${MY_P}/src +DESCRIPTION="MIT Kerberos V" +HOMEPAGE="http://web.mit.edu/kerberos/www/" +SRC_URI="http://web.mit.edu/kerberos/dist/krb5/${P_DIR}/${MY_P}-signed.tar" + +LICENSE="as-is" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k ~mips ppc ppc64 s390 sh sparc x86" +IUSE="krb4 tcl ipv6 doc" + +RDEPEND="!virtual/krb5 + sys-libs/com_err + sys-libs/ss + tcl? ( dev-lang/tcl )" +DEPEND="${RDEPEND} + doc? ( virtual/tetex )" +PROVIDE="virtual/krb5" + +src_unpack() { + unpack ${MY_P}-signed.tar + unpack ./${MY_P}.tar.gz + cd "${S}" + epatch "${FILESDIR}"/${PN}-lazyldflags.patch + epatch "${FILESDIR}"/${PN}-SA-2007-001-telnetd.patch + epatch "${FILESDIR}"/${PN}-SA-2007-002-syslog.patch + epatch "${FILESDIR}"/${PN}-SA-2007-003.patch + ebegin "Reconfiguring configure scripts (be patient)" + cd "${S}"/appl/telnet + eautoconf --force -I "${S}" + eend $? +} + +src_compile() { + econf \ + $(use_with krb4) \ + $(use_with tcl) \ + $(use_enable ipv6) \ + --enable-shared \ + --with-system-et --with-system-ss \ + --enable-dns-for-realm || die + + emake -j1 || die + + if use doc ; then + cd ../doc + for dir in api implement ; do + make -C ${dir} || die + done + fi +} + +src_test() { + einfo "Testing is being debugged, disabled for now" +} + +src_install() { + emake \ + DESTDIR="${D}" \ + EXAMPLEDIR=/usr/share/doc/${PF}/examples \ + install || die + + keepdir /var/lib/krb5kdc + + cd .. + dodoc README + dodoc doc/*.ps + doinfo doc/*.info* + dohtml -r doc/* + + use doc && dodoc doc/{api,implement}/*.ps + + for i in {telnetd,ftpd} ; do + mv "${D}"/usr/share/man/man8/${i}.8 "${D}"/usr/share/man/man8/k${i}.8 + mv "${D}"/usr/sbin/${i} "${D}"/usr/sbin/k${i} + done + + for i in {rcp,rlogin,rsh,telnet,ftp} ; do + mv "${D}"/usr/share/man/man1/${i}.1 "${D}"/usr/share/man/man1/k${i}.1 + mv "${D}"/usr/bin/${i} "${D}"/usr/bin/k${i} + done + + newinitd "${FILESDIR}"/mit-krb5kadmind.initd mit-krb5kadmind + newinitd "${FILESDIR}"/mit-krb5kdc.initd mit-krb5kdc + + insinto /etc + newins ${D}/usr/share/doc/${PF}/examples/krb5.conf krb5.conf.example + newins ${D}/usr/share/doc/${PF}/examples/kdc.conf kdc.conf.example +} + +pkg_postinst() { + elog "See /usr/share/doc/${PF}/html/krb5-admin/index.html for documentation." +} -- 2.26.2