Page MenuHomeFreeBSD
Files F144969413

D52100.1777040060.diff
No OneTemporary
Actions

Size
26 KB
Referenced Files
None
Subscribers
None

D52100.1777040060.diff
View Options

diff --git a/crypto/krb5/README b/crypto/krb5/README
--- a/crypto/krb5/README
+++ b/crypto/krb5/README
@@ -97,6 +97,18 @@
Beginning with the krb5-1.18 release, all support for single-DES
encryption types has been removed.
+Major changes in 1.22.1 (2025-08-20)
+------------------------------------
+
+This is a bug fix release.
+
+* Fix a vulnerability in GSS MIC verification [CVE-2025-57736].
+
+krb5-1.22.1 changes by ticket ID
+--------------------------------
+
+9181 verify_mic_v3 broken in 1.22
+
Major changes in 1.22 (2025-08-05)
----------------------------------
@@ -383,6 +395,7 @@
Roland Dowdeswell
Ken Dreyer
Dorian Ducournau
+ Francis Dupont
Viktor Dukhovni
Jason Edgecombe
Mark Eichin
diff --git a/crypto/krb5/src/configure b/crypto/krb5/src/configure
--- a/crypto/krb5/src/configure
+++ b/crypto/krb5/src/configure
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22-final.
+# Generated by GNU Autoconf 2.71 for Kerberos 5 1.22.1.
#
# Report bugs to <krb5-bugs@mit.edu>.
#
@@ -615,8 +615,8 @@
# Identity of this package.
PACKAGE_NAME='Kerberos 5'
PACKAGE_TARNAME='krb5'
-PACKAGE_VERSION='1.22-final'
-PACKAGE_STRING='Kerberos 5 1.22-final'
+PACKAGE_VERSION='1.22.1'
+PACKAGE_STRING='Kerberos 5 1.22.1'
PACKAGE_BUGREPORT='krb5-bugs@mit.edu'
PACKAGE_URL=''
@@ -1506,7 +1506,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures Kerberos 5 1.22-final to adapt to many kinds of systems.
+\`configure' configures Kerberos 5 1.22.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1577,7 +1577,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of Kerberos 5 1.22-final:";;
+ short | recursive ) echo "Configuration of Kerberos 5 1.22.1:";;
esac
cat <<\_ACEOF
@@ -1739,7 +1739,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-Kerberos 5 configure 1.22-final
+Kerberos 5 configure 1.22.1
generated by GNU Autoconf 2.71
Copyright (C) 2021 Free Software Foundation, Inc.
@@ -2439,7 +2439,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by Kerberos 5 $as_me 1.22-final, which was
+It was created by Kerberos 5 $as_me 1.22.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
$ $0$ac_configure_args_raw
@@ -8159,7 +8159,7 @@
-KRB5_VERSION=1.22-final
+KRB5_VERSION=1.22.1
@@ -15366,7 +15366,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by Kerberos 5 $as_me 1.22-final, which was
+This file was extended by Kerberos 5 $as_me 1.22.1, which was
generated by GNU Autoconf 2.71. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15430,7 +15430,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config='$ac_cs_config_escaped'
ac_cs_version="\\
-Kerberos 5 config.status 1.22-final
+Kerberos 5 config.status 1.22.1
configured by $0, generated by GNU Autoconf 2.71,
with options \\"\$ac_cs_config\\"
diff --git a/crypto/krb5/src/lib/gssapi/generic/util_token.c b/crypto/krb5/src/lib/gssapi/generic/util_token.c
--- a/crypto/krb5/src/lib/gssapi/generic/util_token.c
+++ b/crypto/krb5/src/lib/gssapi/generic/util_token.c
@@ -107,9 +107,8 @@
gss_OID_desc mech;
size_t tlen, orig_len = in->len;
- if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len)
- return 0;
- if (!g_OID_equal(&mech, expected_mech)) {
+ if (!g_get_token_header(in, &mech, &tlen) || tlen != orig_len ||
+ !g_OID_equal(&mech, expected_mech)) {
*in = orig;
return 0;
}
diff --git a/crypto/krb5/src/lib/gssapi/krb5/unwrap.c b/crypto/krb5/src/lib/gssapi/krb5/unwrap.c
--- a/crypto/krb5/src/lib/gssapi/krb5/unwrap.c
+++ b/crypto/krb5/src/lib/gssapi/krb5/unwrap.c
@@ -228,7 +228,7 @@
ret = krb5_k_decrypt(context, key, usage, NULL, &cipher, &plain);
if (ret) {
*minor_status = ret;
- major = GSS_S_FAILURE;
+ major = GSS_S_BAD_SIG;
goto cleanup;
}
diff --git a/crypto/krb5/src/man/k5identity.man b/crypto/krb5/src/man/k5identity.man
--- a/crypto/krb5/src/man/k5identity.man
+++ b/crypto/krb5/src/man/k5identity.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5IDENTITY" "5" " " "1.22" "MIT Kerberos"
+.TH "K5IDENTITY" "5" " " "1.22.1" "MIT Kerberos"
.SH NAME
k5identity \- Kerberos V5 client principal selection rules
.SH DESCRIPTION
diff --git a/crypto/krb5/src/man/k5login.man b/crypto/krb5/src/man/k5login.man
--- a/crypto/krb5/src/man/k5login.man
+++ b/crypto/krb5/src/man/k5login.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5LOGIN" "5" " " "1.22" "MIT Kerberos"
+.TH "K5LOGIN" "5" " " "1.22.1" "MIT Kerberos"
.SH NAME
k5login \- Kerberos V5 acl file for host access
.SH DESCRIPTION
diff --git a/crypto/krb5/src/man/k5srvutil.man b/crypto/krb5/src/man/k5srvutil.man
--- a/crypto/krb5/src/man/k5srvutil.man
+++ b/crypto/krb5/src/man/k5srvutil.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "K5SRVUTIL" "1" " " "1.22" "MIT Kerberos"
+.TH "K5SRVUTIL" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
k5srvutil \- host key table (keytab) manipulation utility
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kadm5.acl.man b/crypto/krb5/src/man/kadm5.acl.man
--- a/crypto/krb5/src/man/kadm5.acl.man
+++ b/crypto/krb5/src/man/kadm5.acl.man
@@ -28,7 +28,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADM5.ACL" "5" " " "1.22" "MIT Kerberos"
+.TH "KADM5.ACL" "5" " " "1.22.1" "MIT Kerberos"
.SH NAME
kadm5.acl \- Kerberos ACL file
.SH DESCRIPTION
diff --git a/crypto/krb5/src/man/kadmin.man b/crypto/krb5/src/man/kadmin.man
--- a/crypto/krb5/src/man/kadmin.man
+++ b/crypto/krb5/src/man/kadmin.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADMIN" "1" " " "1.22" "MIT Kerberos"
+.TH "KADMIN" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kadmin \- Kerberos V5 database administration program
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kadmind.man b/crypto/krb5/src/man/kadmind.man
--- a/crypto/krb5/src/man/kadmind.man
+++ b/crypto/krb5/src/man/kadmind.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KADMIND" "8" " " "1.22" "MIT Kerberos"
+.TH "KADMIND" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kadmind \- KADM5 administration server
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kdb5_ldap_util.man b/crypto/krb5/src/man/kdb5_ldap_util.man
--- a/crypto/krb5/src/man/kdb5_ldap_util.man
+++ b/crypto/krb5/src/man/kdb5_ldap_util.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDB5_LDAP_UTIL" "8" " " "1.22" "MIT Kerberos"
+.TH "KDB5_LDAP_UTIL" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kdb5_ldap_util \- Kerberos configuration utility
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kdb5_util.man b/crypto/krb5/src/man/kdb5_util.man
--- a/crypto/krb5/src/man/kdb5_util.man
+++ b/crypto/krb5/src/man/kdb5_util.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDB5_UTIL" "8" " " "1.22" "MIT Kerberos"
+.TH "KDB5_UTIL" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kdb5_util \- Kerberos database maintenance utility
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kdc.conf.man b/crypto/krb5/src/man/kdc.conf.man
--- a/crypto/krb5/src/man/kdc.conf.man
+++ b/crypto/krb5/src/man/kdc.conf.man
@@ -28,7 +28,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDC.CONF" "5" " " "1.22" "MIT Kerberos"
+.TH "KDC.CONF" "5" " " "1.22.1" "MIT Kerberos"
.SH NAME
kdc.conf \- Kerberos V5 KDC configuration file
.sp
diff --git a/crypto/krb5/src/man/kdestroy.man b/crypto/krb5/src/man/kdestroy.man
--- a/crypto/krb5/src/man/kdestroy.man
+++ b/crypto/krb5/src/man/kdestroy.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KDESTROY" "1" " " "1.22" "MIT Kerberos"
+.TH "KDESTROY" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kdestroy \- destroy Kerberos tickets
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kerberos.man b/crypto/krb5/src/man/kerberos.man
--- a/crypto/krb5/src/man/kerberos.man
+++ b/crypto/krb5/src/man/kerberos.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KERBEROS" "7" " " "1.22" "MIT Kerberos"
+.TH "KERBEROS" "7" " " "1.22.1" "MIT Kerberos"
.SH NAME
kerberos \- Overview of using Kerberos
.SH DESCRIPTION
diff --git a/crypto/krb5/src/man/kinit.man b/crypto/krb5/src/man/kinit.man
--- a/crypto/krb5/src/man/kinit.man
+++ b/crypto/krb5/src/man/kinit.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KINIT" "1" " " "1.22" "MIT Kerberos"
+.TH "KINIT" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kinit \- obtain and cache Kerberos ticket-granting ticket
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/klist.man b/crypto/krb5/src/man/klist.man
--- a/crypto/krb5/src/man/klist.man
+++ b/crypto/krb5/src/man/klist.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KLIST" "1" " " "1.22" "MIT Kerberos"
+.TH "KLIST" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
klist \- list cached Kerberos tickets
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kpasswd.man b/crypto/krb5/src/man/kpasswd.man
--- a/crypto/krb5/src/man/kpasswd.man
+++ b/crypto/krb5/src/man/kpasswd.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPASSWD" "1" " " "1.22" "MIT Kerberos"
+.TH "KPASSWD" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kpasswd \- change a user's Kerberos password
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kprop.man b/crypto/krb5/src/man/kprop.man
--- a/crypto/krb5/src/man/kprop.man
+++ b/crypto/krb5/src/man/kprop.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROP" "8" " " "1.22" "MIT Kerberos"
+.TH "KPROP" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kprop \- propagate a Kerberos V5 principal database to a replica server
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kpropd.man b/crypto/krb5/src/man/kpropd.man
--- a/crypto/krb5/src/man/kpropd.man
+++ b/crypto/krb5/src/man/kpropd.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROPD" "8" " " "1.22" "MIT Kerberos"
+.TH "KPROPD" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kpropd \- Kerberos V5 replica KDC update server
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kproplog.man b/crypto/krb5/src/man/kproplog.man
--- a/crypto/krb5/src/man/kproplog.man
+++ b/crypto/krb5/src/man/kproplog.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KPROPLOG" "8" " " "1.22" "MIT Kerberos"
+.TH "KPROPLOG" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
kproplog \- display the contents of the Kerberos principal update log
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/krb5-config.man b/crypto/krb5/src/man/krb5-config.man
--- a/crypto/krb5/src/man/krb5-config.man
+++ b/crypto/krb5/src/man/krb5-config.man
@@ -28,7 +28,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5-CONFIG" "1" " " "1.22" "MIT Kerberos"
+.TH "KRB5-CONFIG" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
krb5-config \- tool for linking against MIT Kerberos libraries
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/krb5.conf.man b/crypto/krb5/src/man/krb5.conf.man
--- a/crypto/krb5/src/man/krb5.conf.man
+++ b/crypto/krb5/src/man/krb5.conf.man
@@ -28,7 +28,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5.CONF" "5" " " "1.22" "MIT Kerberos"
+.TH "KRB5.CONF" "5" " " "1.22.1" "MIT Kerberos"
.SH NAME
krb5.conf \- Kerberos configuration file
.sp
diff --git a/crypto/krb5/src/man/krb5kdc.man b/crypto/krb5/src/man/krb5kdc.man
--- a/crypto/krb5/src/man/krb5kdc.man
+++ b/crypto/krb5/src/man/krb5kdc.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KRB5KDC" "8" " " "1.22" "MIT Kerberos"
+.TH "KRB5KDC" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
krb5kdc \- Kerberos V5 KDC
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/ksu.man b/crypto/krb5/src/man/ksu.man
--- a/crypto/krb5/src/man/ksu.man
+++ b/crypto/krb5/src/man/ksu.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KSU" "1" " " "1.22" "MIT Kerberos"
+.TH "KSU" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
ksu \- Kerberized super-user
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kswitch.man b/crypto/krb5/src/man/kswitch.man
--- a/crypto/krb5/src/man/kswitch.man
+++ b/crypto/krb5/src/man/kswitch.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KSWITCH" "1" " " "1.22" "MIT Kerberos"
+.TH "KSWITCH" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kswitch \- switch primary ticket cache
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/ktutil.man b/crypto/krb5/src/man/ktutil.man
--- a/crypto/krb5/src/man/ktutil.man
+++ b/crypto/krb5/src/man/ktutil.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KTUTIL" "1" " " "1.22" "MIT Kerberos"
+.TH "KTUTIL" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
ktutil \- Kerberos keytab file maintenance utility
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/kvno.man b/crypto/krb5/src/man/kvno.man
--- a/crypto/krb5/src/man/kvno.man
+++ b/crypto/krb5/src/man/kvno.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "KVNO" "1" " " "1.22" "MIT Kerberos"
+.TH "KVNO" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
kvno \- print key version numbers of Kerberos principals
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/sclient.man b/crypto/krb5/src/man/sclient.man
--- a/crypto/krb5/src/man/sclient.man
+++ b/crypto/krb5/src/man/sclient.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "SCLIENT" "1" " " "1.22" "MIT Kerberos"
+.TH "SCLIENT" "1" " " "1.22.1" "MIT Kerberos"
.SH NAME
sclient \- sample Kerberos version 5 client
.SH SYNOPSIS
diff --git a/crypto/krb5/src/man/sserver.man b/crypto/krb5/src/man/sserver.man
--- a/crypto/krb5/src/man/sserver.man
+++ b/crypto/krb5/src/man/sserver.man
@@ -27,7 +27,7 @@
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
-.TH "SSERVER" "8" " " "1.22" "MIT Kerberos"
+.TH "SSERVER" "8" " " "1.22.1" "MIT Kerberos"
.SH NAME
sserver \- sample Kerberos version 5 server
.SH SYNOPSIS
diff --git a/crypto/krb5/src/patchlevel.h b/crypto/krb5/src/patchlevel.h
--- a/crypto/krb5/src/patchlevel.h
+++ b/crypto/krb5/src/patchlevel.h
@@ -51,7 +51,7 @@
*/
#define KRB5_MAJOR_RELEASE 1
#define KRB5_MINOR_RELEASE 22
-#define KRB5_PATCHLEVEL 0
-#define KRB5_RELTAIL "final"
-#define KRB5_RELDATE "20250805"
-#define KRB5_RELTAG "krb5-1.22-final"
+#define KRB5_PATCHLEVEL 1
+/* #undef KRB5_RELTAIL */
+#define KRB5_RELDATE "20250820"
+#define KRB5_RELTAG "krb5-1.22.1-final"
diff --git a/crypto/krb5/src/po/mit-krb5.pot b/crypto/krb5/src/po/mit-krb5.pot
--- a/crypto/krb5/src/po/mit-krb5.pot
+++ b/crypto/krb5/src/po/mit-krb5.pot
@@ -6,9 +6,9 @@
#, fuzzy
msgid ""
msgstr ""
-"Project-Id-Version: mit-krb5 1.22-final\n"
+"Project-Id-Version: mit-krb5 1.22.1\n"
"Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2025-08-04 20:58-0400\n"
+"POT-Creation-Date: 2025-08-20 15:43-0400\n"
"PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
"Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
"Language-Team: LANGUAGE <LL@li.org>\n"
diff --git a/crypto/krb5/src/tests/gssapi/t_invalid.c b/crypto/krb5/src/tests/gssapi/t_invalid.c
--- a/crypto/krb5/src/tests/gssapi/t_invalid.c
+++ b/crypto/krb5/src/tests/gssapi/t_invalid.c
@@ -79,9 +79,13 @@
#include "gssapiP_krb5.h"
/*
- * The following samples contain context parameters and otherwise valid seal
- * tokens where the plain text is padded with byte value 100 instead of the
- * proper value 1.
+ * The following samples contain:
+ * - context parameters
+ * - otherwise valid seal tokens where the plain text is padded with byte value
+ * 100 instead of the proper value 1.
+ * - valid MIC tokens for the message "message"
+ * - two valid wrap tokens for the message "message", one without
+ * confidentiality and one with
*/
struct test {
krb5_enctype enctype;
@@ -93,6 +97,12 @@
const char *keydata;
size_t toklen;
const char *token;
+ size_t miclen;
+ const char *mic;
+ size_t wrap1len;
+ const char *wrap1;
+ size_t wrap2len;
+ const char *wrap2;
} tests[] = {
{
ENCTYPE_DES3_CBC_SHA1, ENCTYPE_DES3_CBC_RAW,
@@ -104,7 +114,21 @@
"\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
"\x00\x02\x00\xFF\xFF\xEB\xF3\x9A\x89\x24\x57\xB8\x63\x95\x25\xE8"
"\x6E\x8E\x79\xE6\x2E\xCA\xD3\xFF\x57\x9F\x8C\xAB\xEF\xDD\x28\x10"
- "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4"
+ "\x2F\x93\x21\x2E\xF2\x52\xB6\x6F\xA8\xBB\x8A\x6D\xAA\x6F\xB7\xF4\xD4",
+ 49,
+ "\x60\x2F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x04"
+ "\x00\xFF\xFF\xFF\xFF\x57\xF5\x77\xC6\xC0\x72\x26\x97\x00\x89\xB2"
+ "\xEE\xD9\xD1\x90\xE7\x11\x50\x4F\xE9\x59\x18\xB1\x8F\x82\x8E\x8F\x5E",
+ 65,
+ "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
+ "\x00\xFF\xFF\xFF\xFF\x0B\x81\x56\x4A\x02\x1B\xBE\x83\x2B\x35\x08"
+ "\x7B\x49\x15\x07\x97\x6A\x64\xEF\xDD\x32\x52\xF0\xA2\xE2\x62\x9B"
+ "\xA7\x72\xF7\x3D\x6B\x2D\xAC\x21\xE9\x6D\x65\x73\x73\x61\x67\x65\x01",
+ 65,
+ "\x60\x3F\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x04"
+ "\x00\x02\x00\xFF\xFF\x66\x5A\xE1\xC8\x4F\x69\x33\x97\x5D\x05\xE2"
+ "\x86\x40\x14\x15\x14\x27\x01\x9F\x32\x9D\x82\xF4\xE1\xC5\x3E\xFA"
+ "\x6D\x7D\x05\x39\xAE\x21\x44\xA0\x87\xA6\x24\xED\xFC\xA3\x53\xF1\x30"
},
{
ENCTYPE_ARCFOUR_HMAC, ENCTYPE_ARCFOUR_HMAC,
@@ -115,7 +139,21 @@
"\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
"\x00\x10\x00\xFF\xFF\x35\xD4\x79\xF3\x8C\x47\x8F\x6E\x23\x6F\x3E"
"\xCC\x5E\x57\x5C\x6A\x89\xF0\xA2\x03\x4F\x0B\x51\x11\xEE\x89\x7E"
- "\xD6\xF6\xB5\xD6\x51"
+ "\xD6\xF6\xB5\xD6\x51",
+ 37,
+ "\x60\x23\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01\x01\x11"
+ "\x00\xFF\xFF\xFF\xFF\x5D\xE7\x51\xF6\xFB\x6C\x25\x5B\x23\x93\x5A"
+ "\x30\x20\x57\xDC\xB5",
+ 53,
+ "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
+ "\x00\xFF\xFF\xFF\xFF\xAD\xB5\x1D\x01\x39\x7B\xA2\x16\x4C\x1B\x68"
+ "\x18\xEC\xAC\xD9\xE5\x9E\xD1\x41\x7A\x89\xE8\xCB\x24\x6D\x65\x73"
+ "\x73\x61\x67\x65\x01",
+ 53,
+ "\x60\x33\x06\x09\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02\x01\x11"
+ "\x00\x10\x00\xFF\xFF\xDD\x6D\x04\xEA\x64\x5C\xE7\x31\x50\xD0\x09"
+ "\x44\x9E\x67\xA4\x30\xEC\xFB\xFF\xC0\xF7\x16\x1E\x14\x1A\x82\x42"
+ "\xDD\x26\x23\x2B\x02"
}
};
@@ -397,6 +435,144 @@
free(iov[0].buffer.value);
}
+/* Verify that token is a valid MIC token for ctx and message, and that
+ * changing any of the input bytes yields one of the expected errors. */
+static void
+mictest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token)
+{
+ OM_uint32 major, minor;
+ size_t i;
+ uint8_t *p;
+
+ major = gss_verify_mic(&minor, ctx, message, token, NULL);
+ check_gsserr("gss_verify_mic", major, minor);
+
+ p = token->value;
+ for (i = 0; i < token->length; i++) {
+ /* Skip sequence number bytes for RC4. */
+ if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24)
+ continue;
+ p[i]++;
+ major = gss_verify_mic(&minor, ctx, message, token, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
+ abort();
+ p[i]--;
+ }
+ p = message->value;
+ for (i = 0; i < message->length; i++) {
+ p[i]++;
+ major = gss_verify_mic(&minor, ctx, message, token, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
+ abort();
+ p[i]--;
+ }
+}
+
+static void
+test_cfx_verify_mic(gss_ctx_id_t ctx)
+{
+ gss_buffer_desc message, token;
+ uint8_t msg[] = "message";
+ uint8_t mic[] = "\x04\x04\x00\xFF\xFF\xFF\xFF\xFF"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x97\xE9\x63\x3F\x9D\x82\x2B\x74"
+ "\x67\x94\x8A\xD0";
+
+ message.value = msg;
+ message.length = sizeof(msg) - 1;
+ token.value = mic;
+ token.length = sizeof(mic) - 1;
+ mictest(ctx, &message, &token);
+}
+
+static void
+test_verify_mic(gss_ctx_id_t ctx, const struct test *test)
+{
+ gss_buffer_desc message, token;
+ uint8_t msg[] = "message", buf[128];
+
+ assert(test->miclen <= sizeof(buf));
+ memcpy(buf, test->mic, test->miclen);
+
+ message.value = msg;
+ message.length = sizeof(msg) - 1;
+ token.value = buf;
+ token.length = test->miclen;
+ mictest(ctx, &message, &token);
+}
+
+/* Verify that token is a valid wrap token for ctx unwrapping to message, and
+ * that changing any of the token bytes yields one of the expected errors. */
+static void
+unwraptest(gss_ctx_id_t ctx, gss_buffer_t message, gss_buffer_t token)
+{
+ OM_uint32 major, minor;
+ gss_buffer_desc unwrapped;
+ size_t i;
+ uint8_t *p;
+
+ major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL);
+ check_gsserr("gss_unwrap", major, minor);
+ if (unwrapped.length != message->length ||
+ memcmp(unwrapped.value, message->value, unwrapped.length) != 0)
+ abort();
+ gss_release_buffer(&minor, &unwrapped);
+
+ p = token->value;
+ for (i = 0; i < token->length; i++) {
+ /* Skip sequence number bytes for RC4. */
+ if (load_16_le(p + 15) == SGN_ALG_HMAC_MD5 && i >= 21 && i <= 24)
+ continue;
+ p[i]++;
+ major = gss_unwrap(&minor, ctx, token, &unwrapped, NULL, NULL);
+ if (major != GSS_S_DEFECTIVE_TOKEN && major != GSS_S_BAD_SIG)
+ abort();
+ p[i]--;
+ }
+}
+
+static void
+test_cfx_unwrap(gss_ctx_id_t ctx)
+{
+ gss_buffer_desc message, token;
+ uint8_t msg[] = "message";
+ uint8_t token1[] = "\x05\x04\x00\xFF\x00\x0C\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x6D\x65\x73\x73\x61\x67\x65\xDF"
+ "\x57\xB9\x5E\xA2\xB1\x73\x31\xDB\xCE\x61\x62";
+ uint8_t token2[] = "\x05\x04\x02\xFF\x00\x00\x00\x00"
+ "\x00\x00\x00\x00\x00\x00\x00\x00\x72\xBB\xD7\xCF\xDE\xB0\xF9\x20"
+ "\xE2\x9A\x98\xA7\xA4\xE7\xC9\x9B\x30\xD3\xFE\x61\x51\x2E\x1B\x56"
+ "\x88\xB7\x8A\xF5\xA9\xBF\x8F\x82\xB1\xEB\xCC\x88\xE6\x33\x13\xBF"
+ "\x52\x4B\xC0\x3B\x24\x3F\x3E\xF5\xF1\xE0\x64";
+
+ message.value = msg;
+ message.length = sizeof(msg) - 1;
+ token.value = token1;
+ token.length = sizeof(token1) - 1;
+ unwraptest(ctx, &message, &token);
+ token.value = token2;
+ token.length = sizeof(token2) - 1;
+ unwraptest(ctx, &message, &token);
+}
+
+static void
+test_unwrap(gss_ctx_id_t ctx, const struct test *test)
+{
+ gss_buffer_desc message, token;
+ uint8_t msg[] = "message", buf[128];
+
+ assert(test->wrap1len <= sizeof(buf) && test->wrap2len <= sizeof(buf));
+ token.value = buf;
+
+ message.value = msg;
+ message.length = sizeof(msg) - 1;
+ memcpy(buf, test->wrap1, test->wrap1len);
+ token.length = test->wrap1len;
+ unwraptest(ctx, &message, &token);
+ memcpy(buf, test->wrap2, test->wrap2len);
+ token.length = test->wrap2len;
+ unwraptest(ctx, &message, &token);
+}
+
/* Process wrap and MIC tokens with incomplete headers. */
static void
test_short_header(gss_ctx_id_t ctx)
@@ -598,6 +774,8 @@
test_cfx_short_plaintext(ctx, cfx_subkey);
test_cfx_large_ec(ctx, cfx_subkey);
test_iov_large_asn1_wrapper(ctx);
+ test_cfx_verify_mic(ctx);
+ test_cfx_unwrap(ctx);
free_fake_context(ctx);
for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) {
@@ -606,6 +784,8 @@
test_short_header_iov(ctx, &tests[i]);
test_short_checksum(ctx, &tests[i]);
test_bad_pad(ctx, &tests[i]);
+ test_verify_mic(ctx, &tests[i]);
+ test_unwrap(ctx, &tests[i]);
free_fake_context(ctx);
}
diff --git a/krb5/Makefile.inc b/krb5/Makefile.inc
--- a/krb5/Makefile.inc
+++ b/krb5/Makefile.inc
@@ -10,7 +10,7 @@
.include <src.opts.mk>
PACKAGE?= kerberos
-KRB5_VERSION= 1.22-final
+KRB5_VERSION= 1.22.1
# MIT KRB5 uses KRB5_DIR. Heimdal uses KRB5DIR.
KRB5_SRCTOP= ${SRCTOP}/krb5
diff --git a/krb5/include/autoconf.h b/krb5/include/autoconf.h
--- a/krb5/include/autoconf.h
+++ b/krb5/include/autoconf.h
@@ -641,7 +641,7 @@
#define PACKAGE_NAME "Kerberos 5"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "Kerberos 5 1.22.0"
+#define PACKAGE_STRING "Kerberos 5 1.22.1"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "krb5"
@@ -650,7 +650,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "1.22.0"
+#define PACKAGE_VERSION "1.22.1"
/* Default PKCS11 module name */
#define PKCS11_MODNAME "opensc-pkcs11.so"
diff --git a/krb5/util/build-tools/krb5-config.sh b/krb5/util/build-tools/krb5-config.sh
--- a/krb5/util/build-tools/krb5-config.sh
+++ b/krb5/util/build-tools/krb5-config.sh
@@ -26,7 +26,7 @@
# Configurable parameters set by autoconf
# Disreagard the above. Edit this by hand in the bespoke FreeBSD build.
-version_string="Kerberos 5 release 1.22.0"
+version_string="Kerberos 5 release 1.22.1"
prefix=/usr
exec_prefix=${prefix}

File Metadata

Mime Type
text/plain
Expires
Fri, Apr 24, 2:14 PM (7 h, 28 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
28423702
Default Alt Text
D52100.1777040060.diff (26 KB)

Event Timeline