head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2 pkgsrc-2010Q4:1.1.0.28 pkgsrc-2010Q4-base:1.1 pkgsrc-2010Q3:1.1.0.26 pkgsrc-2010Q3-base:1.1 pkgsrc-2010Q2:1.1.0.24 pkgsrc-2010Q2-base:1.1 pkgsrc-2010Q1:1.1.0.22 pkgsrc-2010Q1-base:1.1 pkgsrc-2009Q4:1.1.0.20 pkgsrc-2009Q4-base:1.1 pkgsrc-2009Q3:1.1.0.18 pkgsrc-2009Q3-base:1.1 pkgsrc-2009Q2:1.1.0.16 pkgsrc-2009Q2-base:1.1 pkgsrc-2009Q1:1.1.0.14 pkgsrc-2009Q1-base:1.1 pkgsrc-2008Q4:1.1.0.12 pkgsrc-2008Q4-base:1.1 pkgsrc-2008Q3:1.1.0.10 pkgsrc-2008Q3-base:1.1 cube-native-xorg:1.1.0.8 cube-native-xorg-base:1.1 pkgsrc-2008Q2:1.1.0.6 pkgsrc-2008Q2-base:1.1 cwrapper:1.1.0.4 pkgsrc-2008Q1:1.1.0.2; locks; strict; comment @# @; 1.2 date 2011.03.22.23.31.04; author tez; state dead; branches; next 1.1; 1.1 date 2008.06.07.23.58.11; author tonnerre; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2008.06.07.23.58.11; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2008.06.08.12.00.23; author tron; state Exp; branches; next ; desc @@ 1.2 log @Update MIT Kerberos to v1.8.3 with the latest security patches up to and including MITKRB5-SA-2011-003. Please see http://web.mit.edu/kerberos/ for the change logs since v1.4.2 Note that the r-services, telnetd and ftpd services and the related client applications are now in a separate pacakge security/mit-krb5-appl. @ text @$NetBSD: patch-bk,v 1.1 2008/06/07 23:58:11 tonnerre Exp $ --- kdc/kerberos_v4.c.orig 2004-07-24 02:40:18.000000000 +0200 +++ kdc/kerberos_v4.c @@@@ -86,11 +86,6 @@@@ extern int krbONE; #define MSB_FIRST 0 /* 68000, IBM RT/PC */ #define LSB_FIRST 1 /* Vax, PC8086 */ -int f; - -/* XXX several files in libkdb know about this */ -char *progname; - #ifndef BACKWARD_COMPAT static Key_schedule master_key_schedule; static C_Block master_key; @@@@ -142,10 +137,8 @@@@ static void hang(void); #include "com_err.h" #include "extern.h" /* to pick up master_princ */ -static krb5_data *response; - -void kerberos_v4 (struct sockaddr_in *, KTEXT); -void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); +static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); +static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); static int set_tgtkey (char *, krb5_kvno, krb5_boolean); /* Attributes converted from V5 to V4 - internal representation */ @@@@ -261,12 +254,12 @@@@ process_v4(const krb5_data *pkt, const k (void) klog(L_KRB_PERR, "V4 request too long."); return KRB5KRB_ERR_FIELD_TOOLONG; } + memset( &v4_pkt, 0, sizeof(v4_pkt)); v4_pkt.length = pkt->length; v4_pkt.mbz = 0; memcpy( v4_pkt.dat, pkt->data, pkt->length); - kerberos_v4( &client_sockaddr, &v4_pkt); - *resp = response; + *resp = kerberos_v4( &client_sockaddr, &v4_pkt); return(retval); } @@@@ -299,19 +292,20 @@@@ char * v4_klog( int type, const char *fo } static -int krb4_sendto(int s, const char *msg, int len, int flags, - const struct sockaddr *to, int to_len) +krb5_data *make_response(const char *msg, int len) { + krb5_data *response; + if ( !(response = (krb5_data *) malloc( sizeof *response))) { - return ENOMEM; + return 0; } if ( !(response->data = (char *) malloc( len))) { krb5_free_data(kdc_context, response); - return ENOMEM; + return 0; } response->length = len; memcpy( response->data, msg, len); - return( 0); + return response; } static void hang(void) @@@@ -590,7 +584,7 @@@@ static void str_length_check(char *str, *cp = 0; } -void +static krb5_data * kerberos_v4(struct sockaddr_in *client, KTEXT pkt) { static KTEXT_ST rpkt_st; @@@@ -603,7 +597,7 @@@@ kerberos_v4(struct sockaddr_in *client, KTEXT auth = &auth_st; AUTH_DAT ad_st; AUTH_DAT *ad = &ad_st; - + krb5_data *response = 0; static struct in_addr client_host; static int msg_byte_order; @@@@ -641,8 +635,7 @@@@ kerberos_v4(struct sockaddr_in *client, inet_ntoa(client_host)); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } /* check packet version */ @@@@ -652,8 +645,7 @@@@ kerberos_v4(struct sockaddr_in *client, KRB_PROT_VERSION, req_version, 0); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } msg_byte_order = req_msg_type & 1; @@@@ -711,10 +703,10 @@@@ kerberos_v4(struct sockaddr_in *client, if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data, &k5key, 0, &ck5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_low = a_name_data.key_high = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* don't use k5key for client */ krb5_free_keyblock_contents(kdc_context, &k5key); @@@@ -726,11 +718,11 @@@@ kerberos_v4(struct sockaddr_in *client, /* this does all the checking */ if ((i = check_princ(service, instance, lifetime, &s_name_data, &k5key, 1, &sk5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_high = a_name_data.key_low = 0; s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); @@@@ -801,8 +793,7 @@@@ kerberos_v4(struct sockaddr_in *client, rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, a_name_data.key_version, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&a_name_data, 0, sizeof(a_name_data)); memset(&s_name_data, 0, sizeof(s_name_data)); break; @@@@ -828,9 +819,8 @@@@ kerberos_v4(struct sockaddr_in *client, lt = klog(L_KRB_PERR, "APPL request with realm length too long from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "realm length too long"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "realm length too long"); } auth->length += (int) *(pkt->dat + auth->length) + @@@@ -839,9 +829,8 @@@@ kerberos_v4(struct sockaddr_in *client, lt = klog(L_KRB_PERR, "APPL request with funky tkt or req_id length from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "funky tkt or req_id length"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "funky tkt or req_id length"); } memcpy(auth->dat, pkt->dat, auth->length); @@@@ -852,18 +841,16 @@@@ kerberos_v4(struct sockaddr_in *client, if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { lt = klog(L_ERR_UNK, "Cross realm ticket from %s denied by policy,", tktrlm); - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } if (set_tgtkey(tktrlm, kvno, 0)) { - lt = klog(L_ERR_UNK, + lt = klog(L_ERR_UNK, "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@@@ -873,9 +860,8 @@@@ kerberos_v4(struct sockaddr_in *client, "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@@@ -885,8 +871,7 @@@@ kerberos_v4(struct sockaddr_in *client, klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", inet_ntoa(client_host), krb_get_err_text(kerno)); req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - return; + return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); } ptr = (char *) pkt->dat + auth->length; @@@@ -908,22 +893,20 @@@@ kerberos_v4(struct sockaddr_in *client, req_realm_ptr = ad->prealm; if (strcmp(ad->prealm, tktrlm)) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); } if (!strcmp(service, "changepw")) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't authorize password changed based on TGT"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't authorize password changed based on TGT"); } kerno = check_princ(service, instance, req_life, &s_name_data, &k5key, 1, &sk5life); if (kerno) { - kerb_err_reply(client, pkt, kerno, "check_princ failed"); + response = kerb_err_reply(client, pkt, kerno, "check_princ failed"); s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); @@@@ -979,8 +962,7 @@@@ kerberos_v4(struct sockaddr_in *client, rpkt = create_auth_reply(ad->pname, ad->pinst, ad->prealm, time_ws, 0, 0, 0, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&s_name_data, 0, sizeof(s_name_data)); break; } @@@@ -1005,6 +987,8 @@@@ kerberos_v4(struct sockaddr_in *client, break; } } + + return response; } @@@@ -1014,7 +998,7 @@@@ kerberos_v4(struct sockaddr_in *client, * client. */ -void +static krb5_data * kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) { static KTEXT_ST e_pkt_st; @@@@ -1025,9 +1009,7 @@@@ kerb_err_reply(struct sockaddr_in *clien strncat(e_msg, string, sizeof(e_msg) - 1 - 19); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); - krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); - + return make_response((char *) e_pkt->dat, e_pkt->length); } static int @ 1.1 log @Add more patches, now for MITKRB5-SA-2007-006, MITKRB5-SA-2008-001 and MITKRB5-SA-2008-002. Bump PKGREVISION now finally. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-bk was added on branch pkgsrc-2008Q1 on 2008-06-08 12:00:23 +0000 @ text @d1 283 @ 1.1.2.2 log @Pullup ticket #2417 - requested by tonnerre Security patches for mit-krb5 Revisions pulled up: - security/mit-krb5/Makefile 1.43 - security/mit-krb5/distinfo 1.20 - security/mit-krb5/patches/patch-at 1.2 - security/mit-krb5/patches/patch-bh 1.1 - security/mit-krb5/patches/patch-bi 1.1 - security/mit-krb5/patches/patch-bj 1.1 - security/mit-krb5/patches/patch-bk 1.1 - security/mit-krb5/patches/patch-bl 1.1 --- Module Name: pkgsrc Committed By: tonnerre Date: Sat Jun 7 23:58:11 UTC 2008 Modified Files: pkgsrc/security/mit-krb5: Makefile distinfo pkgsrc/security/mit-krb5/patches: patch-at Added Files: pkgsrc/security/mit-krb5/patches: patch-bh patch-bi patch-bj patch-bk patch-bl Log Message: Add more patches, now for MITKRB5-SA-2007-006, MITKRB5-SA-2008-001 and MITKRB5-SA-2008-002. Bump PKGREVISION now finally. @ text @a0 283 $NetBSD: patch-bk,v 1.1 2008/06/07 23:58:11 tonnerre Exp $ --- kdc/kerberos_v4.c.orig 2004-07-24 02:40:18.000000000 +0200 +++ kdc/kerberos_v4.c @@@@ -86,11 +86,6 @@@@ extern int krbONE; #define MSB_FIRST 0 /* 68000, IBM RT/PC */ #define LSB_FIRST 1 /* Vax, PC8086 */ -int f; - -/* XXX several files in libkdb know about this */ -char *progname; - #ifndef BACKWARD_COMPAT static Key_schedule master_key_schedule; static C_Block master_key; @@@@ -142,10 +137,8 @@@@ static void hang(void); #include "com_err.h" #include "extern.h" /* to pick up master_princ */ -static krb5_data *response; - -void kerberos_v4 (struct sockaddr_in *, KTEXT); -void kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); +static krb5_data *kerberos_v4 (struct sockaddr_in *, KTEXT); +static krb5_data *kerb_err_reply (struct sockaddr_in *, KTEXT, long, char *); static int set_tgtkey (char *, krb5_kvno, krb5_boolean); /* Attributes converted from V5 to V4 - internal representation */ @@@@ -261,12 +254,12 @@@@ process_v4(const krb5_data *pkt, const k (void) klog(L_KRB_PERR, "V4 request too long."); return KRB5KRB_ERR_FIELD_TOOLONG; } + memset( &v4_pkt, 0, sizeof(v4_pkt)); v4_pkt.length = pkt->length; v4_pkt.mbz = 0; memcpy( v4_pkt.dat, pkt->data, pkt->length); - kerberos_v4( &client_sockaddr, &v4_pkt); - *resp = response; + *resp = kerberos_v4( &client_sockaddr, &v4_pkt); return(retval); } @@@@ -299,19 +292,20 @@@@ char * v4_klog( int type, const char *fo } static -int krb4_sendto(int s, const char *msg, int len, int flags, - const struct sockaddr *to, int to_len) +krb5_data *make_response(const char *msg, int len) { + krb5_data *response; + if ( !(response = (krb5_data *) malloc( sizeof *response))) { - return ENOMEM; + return 0; } if ( !(response->data = (char *) malloc( len))) { krb5_free_data(kdc_context, response); - return ENOMEM; + return 0; } response->length = len; memcpy( response->data, msg, len); - return( 0); + return response; } static void hang(void) @@@@ -590,7 +584,7 @@@@ static void str_length_check(char *str, *cp = 0; } -void +static krb5_data * kerberos_v4(struct sockaddr_in *client, KTEXT pkt) { static KTEXT_ST rpkt_st; @@@@ -603,7 +597,7 @@@@ kerberos_v4(struct sockaddr_in *client, KTEXT auth = &auth_st; AUTH_DAT ad_st; AUTH_DAT *ad = &ad_st; - + krb5_data *response = 0; static struct in_addr client_host; static int msg_byte_order; @@@@ -641,8 +635,7 @@@@ kerberos_v4(struct sockaddr_in *client, inet_ntoa(client_host)); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } /* check packet version */ @@@@ -652,8 +645,7 @@@@ kerberos_v4(struct sockaddr_in *client, KRB_PROT_VERSION, req_version, 0); /* send an error reply */ req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt); } msg_byte_order = req_msg_type & 1; @@@@ -711,10 +703,10 @@@@ kerberos_v4(struct sockaddr_in *client, if ((i = check_princ(req_name_ptr, req_inst_ptr, 0, &a_name_data, &k5key, 0, &ck5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_low = a_name_data.key_high = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* don't use k5key for client */ krb5_free_keyblock_contents(kdc_context, &k5key); @@@@ -726,11 +718,11 @@@@ kerberos_v4(struct sockaddr_in *client, /* this does all the checking */ if ((i = check_princ(service, instance, lifetime, &s_name_data, &k5key, 1, &sk5life))) { - kerb_err_reply(client, pkt, i, "check_princ failed"); + response = kerb_err_reply(client, pkt, i, "check_princ failed"); a_name_data.key_high = a_name_data.key_low = 0; s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life); @@@@ -801,8 +793,7 @@@@ kerberos_v4(struct sockaddr_in *client, rpkt = create_auth_reply(req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, 0, a_name_data.exp_date, a_name_data.key_version, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&a_name_data, 0, sizeof(a_name_data)); memset(&s_name_data, 0, sizeof(s_name_data)); break; @@@@ -828,9 +819,8 @@@@ kerberos_v4(struct sockaddr_in *client, lt = klog(L_KRB_PERR, "APPL request with realm length too long from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "realm length too long"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "realm length too long"); } auth->length += (int) *(pkt->dat + auth->length) + @@@@ -839,9 +829,8 @@@@ kerberos_v4(struct sockaddr_in *client, lt = klog(L_KRB_PERR, "APPL request with funky tkt or req_id length from %s", inet_ntoa(client_host)); - kerb_err_reply(client, pkt, RD_AP_INCON, - "funky tkt or req_id length"); - return; + return kerb_err_reply(client, pkt, RD_AP_INCON, + "funky tkt or req_id length"); } memcpy(auth->dat, pkt->dat, auth->length); @@@@ -852,18 +841,16 @@@@ kerberos_v4(struct sockaddr_in *client, if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) { lt = klog(L_ERR_UNK, "Cross realm ticket from %s denied by policy,", tktrlm); - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } if (set_tgtkey(tktrlm, kvno, 0)) { - lt = klog(L_ERR_UNK, + lt = klog(L_ERR_UNK, "FAILED set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@@@ -873,9 +860,8 @@@@ kerberos_v4(struct sockaddr_in *client, "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ", tktrlm, kvno, inet_ntoa(client_host)); /* no better error code */ - kerb_err_reply(client, pkt, - KERB_ERR_PRINCIPAL_UNKNOWN, lt); - return; + return kerb_err_reply(client, pkt, + KERB_ERR_PRINCIPAL_UNKNOWN, lt); } kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr, ad, 0); @@@@ -885,8 +871,7 @@@@ kerberos_v4(struct sockaddr_in *client, klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s", inet_ntoa(client_host), krb_get_err_text(kerno)); req_name_ptr = req_inst_ptr = req_realm_ptr = ""; - kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); - return; + return kerb_err_reply(client, pkt, kerno, "krb_rd_req failed"); } ptr = (char *) pkt->dat + auth->length; @@@@ -908,22 +893,20 @@@@ kerberos_v4(struct sockaddr_in *client, req_realm_ptr = ad->prealm; if (strcmp(ad->prealm, tktrlm)) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't hop realms"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't hop realms"); } if (!strcmp(service, "changepw")) { - kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, - "Can't authorize password changed based on TGT"); - return; + return kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN, + "Can't authorize password changed based on TGT"); } kerno = check_princ(service, instance, req_life, &s_name_data, &k5key, 1, &sk5life); if (kerno) { - kerb_err_reply(client, pkt, kerno, "check_princ failed"); + response = kerb_err_reply(client, pkt, kerno, "check_princ failed"); s_name_data.key_high = s_name_data.key_low = 0; krb5_free_keyblock_contents(kdc_context, &k5key); - return; + return response; } /* Bound requested lifetime with service and user */ v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life); @@@@ -979,8 +962,7 @@@@ kerberos_v4(struct sockaddr_in *client, rpkt = create_auth_reply(ad->pname, ad->pinst, ad->prealm, time_ws, 0, 0, 0, ciph); - krb4_sendto(f, (char *) rpkt->dat, rpkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); + response = make_response((char *) rpkt->dat, rpkt->length); memset(&s_name_data, 0, sizeof(s_name_data)); break; } @@@@ -1005,6 +987,8 @@@@ kerberos_v4(struct sockaddr_in *client, break; } } + + return response; } @@@@ -1014,7 +998,7 @@@@ kerberos_v4(struct sockaddr_in *client, * client. */ -void +static krb5_data * kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long int err, char *string) { static KTEXT_ST e_pkt_st; @@@@ -1025,9 +1009,7 @@@@ kerb_err_reply(struct sockaddr_in *clien strncat(e_msg, string, sizeof(e_msg) - 1 - 19); cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr, req_time_ws, err, e_msg); - krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0, - (struct sockaddr *) client, S_AD_SZ); - + return make_response((char *) e_pkt->dat, e_pkt->length); } static int @