network/krb5: Updated for version 1.7.1.

2024-10-01 06:32:51 +02:00 · 2010-04-14 20:54:27 -04:00 · 2010-04-14 20:54:27 -04:00 · f13bd928de
commit f13bd928de
parent e51901af75
5 changed files with 17 additions and 434 deletions
--- a/network/krb5/README
+++ b/network/krb5/README
@ -3,13 +3,3 @@ provide strong authentication for client/server applications by using
 secret-key cryptography. A free implementation of this protocol is
 available from the Massachusetts Institute of Technology. Kerberos is
 available in many commercial products as well.
-
-This package includes patches for security advisories:
-
-MITKRB5-SA-2009-004
-    integer underflow in AES and RC4 decryption 
-MITKRB5-SA-2009-003
-    KDC denial of service in cross-realm referral processing 
-
-For further information about these advisories, please see
-http://web.mit.edu/kerberos/advisories/
--- a/network/krb5/krb5.SlackBuild
+++ b/network/krb5/krb5.SlackBuild
@ -6,13 +6,13 @@
 # All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions
+# modification, are permitted provided that the following conditions 
 # are met:
 #   * Redistributions of source code must retain the above copyright
 #     notice, this list of conditions and the following disclaimer.
 #   * Redistributions in binary form must reproduce the above
-#     copyright notice, this list of conditions and the following
-#     disclaimer in the documentation and/or other materials
+#     copyright notice, this list of conditions and the following 
+#     disclaimer in the documentation and/or other materials 
 #     provided with the distribution.
 #   * Neither the name of Tom Canich nor the names of other contributors
 #     may be used to endorse or promote products derived from this
@ -20,18 +20,18 @@
 #
 # THIS SOFTWARE IS PROVIDED BY Tom Canich ''AS IS'' AND ANY
 # EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
+# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL Tom Canich BE LIABLE FOR 
 # ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
-# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
-# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
-# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE 
+# GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 
+# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER 
+# IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN 
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 PRGNAM=krb5
-VERSION=${VERSION:-1.7}
+VERSION=${VERSION:-1.7.1}
 ARCH=${ARCH:-i486}
 BUILD=${BUILD:-2}
 TAG=${TAG:-_SBo}
@ -63,9 +63,6 @@ tar xvf $CWD/$PRGNAM-$VERSION-signed.tar -C $TMP
 tar xvf $TMP/$PRGNAM-$VERSION.tar.gz
 cd $PRGNAM-$VERSION/src

-patch -p2 -i $CWD/patches/2009-003-patch.txt
-patch -p1 -i $CWD/patches/2009-004-patch_1.7.txt
-
 CFLAGS="$SLKCFLAGS" \
 CXXFLAGS="$SLKCFLAGS" \
 ./configure \
@ -90,7 +87,7 @@ chmod 0755 $PKG/etc/profile.d/*
  find . | xargs file | grep "executable" | grep ELF | cut -f 1 -d : | \
    xargs strip --strip-unneeded 2> /dev/null || true
  find . | xargs file | grep "shared object" | grep ELF | cut -f 1 -d : | \
-    xargs strip --strip-unneeded 2> /dev/null
+    xargs strip --strip-unneeded 2> /dev/null || true
 )

 ( cd $PKG/usr/kerberos/man
@ -100,7 +97,7 @@ chmod 0755 $PKG/etc/profile.d/*

 mkdir -p $PKG/usr/doc/$PRGNAM-$VERSION
 cp -a \
-  $CWD/README $CWD/README.krb5 $CWD/EXPORT $CWD/patches \
+  $CWD/README $CWD/README.krb5 $CWD/EXPORT \
    $PKG/usr/doc/$PRGNAM-$VERSION
 cat $CWD/$PRGNAM.SlackBuild > $PKG/usr/doc/$PRGNAM-$VERSION/$PRGNAM.SlackBuild
 chown -R root:root $PKG/usr/doc
--- a/network/krb5/krb5.info
+++ b/network/krb5/krb5.info
@ -1,10 +1,10 @@
 PRGNAM="krb5"
-VERSION="1.7"
+VERSION="1.7.1"
 HOMEPAGE="http://web.mit.edu/kerberos/"
-DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7-signed.tar"
-MD5SUM="9f7b3402b4731a7fa543db193bf1b564"
+DOWNLOAD="http://web.mit.edu/kerberos/dist/krb5/1.7/krb5-1.7.1-signed.tar"
+MD5SUM="4206991cb65e0d0ab69748e63ca67388"
 DOWNLOAD_x86_64=""
 MD5SUM_x86_64=""
 MAINTAINER="Tom Canich"
 EMAIL="tcanich@canich.net"
-APPROVED="Erik Hanson"
+APPROVED="dsomero"
--- a/network/krb5/patches/2009-003-patch.txt
+++ b/network/krb5/patches/2009-003-patch.txt
@ -1,27 +0,0 @@
-diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
-index 298e132..12180ff 100644
--- a/src/kdc/do_tgs_req.c
-+++ b/src/kdc/do_tgs_req.c
-@@ -1158,7 +1158,7 @@ prep_reprocess_req(krb5_kdc_req *request, krb5_principal *krbtgt_princ)
-             free(temp_buf);
-             if (retval) {
-                 /* no match found */
-                kdc_err(kdc_context, retval, 0);
-+                kdc_err(kdc_context, retval, "unable to find realm of host");
-                 goto cleanup;
-             }
-             if (realms == 0) {
-diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
-index efff818..ef3735a 100644
--- a/src/lib/kadm5/logger.c
-+++ b/src/lib/kadm5/logger.c
-@@ -188,6 +188,9 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list
-     char	*cp;
-     char	*syslogp;
- 
-+    if (whoami == NULL || format == NULL)
-+        return;
-+
-     /* Make the header */
-     snprintf(outbuf, sizeof(outbuf), "%s: ", whoami);
-     /*
--- a/network/krb5/patches/2009-004-patch_1.7.txt
+++ b/network/krb5/patches/2009-004-patch_1.7.txt
@ -1,377 +0,0 @@
-Index: src/lib/crypto/Makefile.in
-===================================================================
--- src/lib/crypto/Makefile.in	(revision 23398)
-+++ src/lib/crypto/Makefile.in	(working copy)
-@@ -18,6 +18,7 @@
- 	$(srcdir)/t_nfold.c	\
- 	$(srcdir)/t_cf2.c \
- 	$(srcdir)/t_encrypt.c	\
-+	$(srcdir)/t_short.c	\
- 	$(srcdir)/t_prf.c \
- 	$(srcdir)/t_prng.c	\
- 	$(srcdir)/t_hmac.c	\
-@@ -206,7 +207,7 @@
- 
- clean-unix:: clean-liblinks clean-libs clean-libobjs
- 
-check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2
-+check-unix:: t_nfold t_encrypt t_prf t_prng t_hmac t_pkcs5 t_cf2 t_short
- 	$(RUN_SETUP) $(VALGRIND) ./t_nfold
- 	$(RUN_SETUP) $(VALGRIND) ./t_encrypt
- 	$(RUN_SETUP) $(VALGRIND) ./t_prng <$(srcdir)/t_prng.seed >t_prng.output && \
-@@ -216,6 +217,7 @@
- 	diff t_prf.output $(srcdir)/t_prf.expected
- 	$(RUN_SETUP) $(VALGRIND) ./t_cf2 <$(srcdir)/t_cf2.in >t_cf2.output
- 	diff t_cf2.output $(srcdir)/t_cf2.expected
-+	$(RUN_SETUP) $(VALGRIND) ./t_short
- 
- 
- #	$(RUN_SETUP) $(VALGRIND) ./t_pkcs5
-@@ -249,10 +251,15 @@
- 	$(CC_LINK) -o $@ t_cts.$(OBJEXT) \
- 		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
- 
-+t_short$(EXEEXT): t_short.$(OBJEXT) $(CRYPTO_DEPLIB) $(SUPPORT_DEPLIB)
-+	$(CC_LINK) -o $@ t_short.$(OBJEXT) \
-+		$(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB)
- 
-+
- clean::
- 	$(RM) t_nfold.o t_nfold t_encrypt t_encrypt.o t_prng.o t_prng \
-		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o t_cf2 t_cf2.o
-+		t_hmac.o t_hmac t_pkcs5.o t_pkcs5 pbkdf2.o t_prf t_prf.o \
-+		t_cf2 t_cf2.o t_short t_short.o
- 	-$(RM) t_prng.output
- 
- all-windows::
-Index: src/lib/crypto/arcfour/arcfour.c
-===================================================================
--- src/lib/crypto/arcfour/arcfour.c	(revision 23398)
-+++ src/lib/crypto/arcfour/arcfour.c	(working copy)
-@@ -199,6 +199,12 @@
-   keylength = enc->keylength;
-   hashsize = hash->hashsize;
- 
-+  /* Verify input and output lengths. */
-+  if (input->length < hashsize + CONFOUNDERLENGTH)
-+    return KRB5_BAD_MSIZE;
-+  if (output->length < input->length - hashsize - CONFOUNDERLENGTH)
-+    return KRB5_BAD_MSIZE;
-+
-   d1.length=keybytes;
-   d1.data=malloc(d1.length);
-   if (d1.data == NULL)
-Index: src/lib/crypto/enc_provider/aes.c
-===================================================================
--- src/lib/crypto/enc_provider/aes.c	(revision 23398)
-+++ src/lib/crypto/enc_provider/aes.c	(working copy)
-@@ -105,9 +105,11 @@
-     nblocks = (input->length + BLOCK_SIZE - 1) / BLOCK_SIZE;
- 
-     if (nblocks == 1) {
-	/* XXX Used for DK function.  */
-+	/* Used when deriving keys. */
-+	if (input->length < BLOCK_SIZE)
-+	    return KRB5_BAD_MSIZE;
- 	enc(output->data, input->data, &ctx);
-    } else {
-+    } else if (nblocks > 1) {
- 	unsigned int nleft;
- 
- 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
-@@ -160,9 +162,9 @@
- 
-     if (nblocks == 1) {
- 	if (input->length < BLOCK_SIZE)
-	    abort();
-+	    return KRB5_BAD_MSIZE;
- 	dec(output->data, input->data, &ctx);
-    } else {
-+    } else if (nblocks > 1) {
- 
- 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
- 	    dec(tmp2, input->data + blockno * BLOCK_SIZE, &ctx);
-@@ -208,6 +210,7 @@
-     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE];
-     int nblocks = 0, blockno;
-     size_t input_length, i;
-+    struct iov_block_state input_pos, output_pos;
- 
-     if (aes_enc_key(key->contents, key->length, &ctx) != aes_good)
- 	abort();
-@@ -224,18 +227,20 @@
- 	    input_length += iov->data.length;
-     }
- 
-+    IOV_BLOCK_STATE_INIT(&input_pos);
-+    IOV_BLOCK_STATE_INIT(&output_pos);
-+
-     nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
-    assert(nblocks > 1);
-
-    {
-+    if (nblocks == 1) {
-+	krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
-+				data, num_data, &input_pos);
-+	enc(tmp2, tmp, &ctx);
-+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
-+				BLOCK_SIZE, &output_pos);
-+    } else if (nblocks > 1) {
- 	char blockN2[BLOCK_SIZE];   /* second last */
- 	char blockN1[BLOCK_SIZE];   /* last block */
-	struct iov_block_state input_pos, output_pos;
- 
-	IOV_BLOCK_STATE_INIT(&input_pos);
-	IOV_BLOCK_STATE_INIT(&output_pos);
-
- 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
- 	    char blockN[BLOCK_SIZE];
- 
-@@ -288,6 +293,7 @@
-     char tmp[BLOCK_SIZE], tmp2[BLOCK_SIZE], tmp3[BLOCK_SIZE];
-     int nblocks = 0, blockno, i;
-     size_t input_length;
-+    struct iov_block_state input_pos, output_pos;
- 
-     CHECK_SIZES;
- 
-@@ -306,18 +312,20 @@
- 	    input_length += iov->data.length;
-     }
- 
-+    IOV_BLOCK_STATE_INIT(&input_pos);
-+    IOV_BLOCK_STATE_INIT(&output_pos);
-+
-     nblocks = (input_length + BLOCK_SIZE - 1) / BLOCK_SIZE;
-
-    assert(nblocks > 1);
-
-    {
-+    if (nblocks == 1) {
-+	krb5int_c_iov_get_block((unsigned char *)tmp, BLOCK_SIZE,
-+				data, num_data, &input_pos);
-+	dec(tmp2, tmp, &ctx);
-+	krb5int_c_iov_put_block(data, num_data, (unsigned char *)tmp2,
-+				BLOCK_SIZE, &output_pos);
-+    } else if (nblocks > 1) {
- 	char blockN2[BLOCK_SIZE];   /* second last */
- 	char blockN1[BLOCK_SIZE];   /* last block */
-	struct iov_block_state input_pos, output_pos;
- 
-	IOV_BLOCK_STATE_INIT(&input_pos);
-	IOV_BLOCK_STATE_INIT(&output_pos);
-
- 	for (blockno = 0; blockno < nblocks - 2; blockno++) {
- 	    char blockN[BLOCK_SIZE];
- 
-Index: src/lib/crypto/dk/dk_aead.c
-===================================================================
--- src/lib/crypto/dk/dk_aead.c	(revision 23398)
-+++ src/lib/crypto/dk/dk_aead.c	(working copy)
-@@ -248,7 +248,7 @@
-     for (i = 0; i < num_data; i++) {
- 	const krb5_crypto_iov *iov = &data[i];
- 
-	if (ENCRYPT_DATA_IOV(iov))
-+	if (ENCRYPT_IOV(iov))
- 	    cipherlen += iov->data.length;
-     }
- 
-Index: src/lib/crypto/dk/dk_decrypt.c
-===================================================================
--- src/lib/crypto/dk/dk_decrypt.c	(revision 23398)
-+++ src/lib/crypto/dk/dk_decrypt.c	(working copy)
-@@ -89,6 +89,12 @@
-     else if (hmacsize > hashsize)
- 	return KRB5KRB_AP_ERR_BAD_INTEGRITY;
- 
-+    /* Verify input and output lengths. */
-+    if (input->length < blocksize + hmacsize)
-+	return KRB5_BAD_MSIZE;
-+    if (output->length < input->length - blocksize - hmacsize)
-+	return KRB5_BAD_MSIZE;
-+
-     enclen = input->length - hmacsize;
- 
-     if ((kedata = (unsigned char *) malloc(keylength)) == NULL)
-Index: src/lib/crypto/raw/raw_decrypt.c
-===================================================================
--- src/lib/crypto/raw/raw_decrypt.c	(revision 23398)
-+++ src/lib/crypto/raw/raw_decrypt.c	(working copy)
-@@ -34,5 +34,7 @@
- 		 const krb5_data *ivec, const krb5_data *input,
- 		 krb5_data *output)
- {
-+    if (output->length < input->length)
-+	return KRB5_BAD_MSIZE;
-     return((*(enc->decrypt))(key, ivec, input, output));
- }
-Index: src/lib/crypto/deps
-===================================================================
--- src/lib/crypto/deps	(revision 23398)
-+++ src/lib/crypto/deps	(working copy)
-@@ -463,6 +463,16 @@
-   $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \
-   $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \
-   $(SRCTOP)/include/socket-utils.h etypes.h t_encrypt.c
-+t_short.so t_short.po $(OUTPRE)t_short.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-+  $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-+  $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
-+  $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \
-+  $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \
-+  $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \
-+  $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \
-+  $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \
-+  $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \
-+  t_short.c
- t_prf.so t_prf.po $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \
-   $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \
-   $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \
-Index: src/lib/crypto/t_short.c
-===================================================================
--- src/lib/crypto/t_short.c	(revision 0)
-+++ src/lib/crypto/t_short.c	(revision 0)
-@@ -0,0 +1,126 @@
-+/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
-+/*
-+ * lib/crypto/crypto_tests/t_short.c
-+ *
-+ * Copyright (C) 2009 by the Massachusetts Institute of Technology.
-+ * All rights reserved.
-+ *
-+ * Export of this software from the United States of America may
-+ *   require a specific license from the United States Government.
-+ *   It is the responsibility of any person or organization contemplating
-+ *   export to obtain such a license before exporting.
-+ *
-+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
-+ * distribute this software and its documentation for any purpose and
-+ * without fee is hereby granted, provided that the above copyright
-+ * notice appear in all copies and that both that copyright notice and
-+ * this permission notice appear in supporting documentation, and that
-+ * the name of M.I.T. not be used in advertising or publicity pertaining
-+ * to distribution of the software without specific, written prior
-+ * permission.  Furthermore if you modify this software you must label
-+ * your software as modified software and not distribute it in such a
-+ * fashion that it might be confused with the original M.I.T. software.
-+ * M.I.T. makes no representations about the suitability of
-+ * this software for any purpose.  It is provided "as is" without express
-+ * or implied warranty.
-+ *
-+ * Tests the outcome of decrypting overly short tokens.  This program can be
-+ * run under a tool like valgrind to detect bad memory accesses; when run
-+ * normally by the test suite, it verifies that each operation returns
-+ * KRB5_BAD_MSIZE.
-+ */
-+
-+#include "k5-int.h"
-+
-+krb5_enctype interesting_enctypes[] = {
-+    ENCTYPE_DES_CBC_CRC,
-+    ENCTYPE_DES_CBC_MD4,
-+    ENCTYPE_DES_CBC_MD5,
-+    ENCTYPE_DES3_CBC_SHA1,
-+    ENCTYPE_ARCFOUR_HMAC,
-+    ENCTYPE_ARCFOUR_HMAC_EXP,
-+    ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-+    ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-+    0
-+};
-+
-+/* Abort if an operation unexpectedly fails. */
-+static void
-+x(krb5_error_code code)
-+{
-+    if (code != 0)
-+        abort();
-+}
-+
-+/* Abort if a decrypt operation doesn't have the expected result. */
-+static void
-+check_decrypt_result(krb5_error_code code, size_t len, size_t min_len)
-+{
-+    if (len < min_len) {
-+        /* Undersized tokens should always result in BAD_MSIZE. */
-+        if (code != KRB5_BAD_MSIZE)
-+            abort();
-+    } else {
-+        /* Min-size tokens should succeed or fail the integrity check. */
-+        if (code != 0 && code != KRB5KRB_AP_ERR_BAD_INTEGRITY)
-+            abort();
-+    }
-+}
-+
-+static void
-+test_enctype(krb5_enctype enctype)
-+{
-+    krb5_error_code ret;
-+    krb5_keyblock keyblock;
-+    krb5_enc_data input;
-+    krb5_data output;
-+    krb5_crypto_iov iov[2];
-+    unsigned int dummy;
-+    size_t min_len, len;
-+
-+    printf("Testing enctype %d\n", (int) enctype);
-+    x(krb5_c_encrypt_length(NULL, enctype, 0, &min_len));
-+    x(krb5_c_make_random_key(NULL, enctype, &keyblock));
-+    input.enctype = enctype;
-+
-+    /* Try each length up to the minimum length. */
-+    for (len = 0; len <= min_len; len++) {
-+        input.ciphertext.data = calloc(len, 1);
-+        input.ciphertext.length = len;
-+        output.data = calloc(len, 1);
-+        output.length = len;
-+
-+        /* Attempt a normal decryption. */
-+        ret = krb5_c_decrypt(NULL, &keyblock, 0, NULL, &input, &output);
-+        check_decrypt_result(ret, len, min_len);
-+
-+        if (krb5_c_crypto_length(NULL, enctype, KRB5_CRYPTO_TYPE_HEADER,
-+                                 &dummy) == 0) {
-+            /* Attempt an IOV stream decryption. */
-+            iov[0].flags = KRB5_CRYPTO_TYPE_STREAM;
-+            iov[0].data = input.ciphertext;
-+            iov[1].flags = KRB5_CRYPTO_TYPE_DATA;
-+            iov[1].data.data = NULL;
-+            iov[1].data.length = 0;
-+            ret = krb5_c_decrypt_iov(NULL, &keyblock, 0, NULL, iov, 2);
-+            check_decrypt_result(ret, len, min_len);
-+        }
-+
-+        free(input.ciphertext.data);
-+        free(output.data);
-+    }
-+}
-+
-+int
-+main(int argc, char **argv)
-+{
-+    int i;
-+    krb5_data notrandom;
-+
-+    notrandom.data = "notrandom";
-+    notrandom.length = 9;
-+    krb5_c_random_seed(NULL, &notrandom);
-+    for (i = 0; interesting_enctypes[i]; i++)
-+        test_enctype(interesting_enctypes[i]);
-+    return 0;
-+}
-Index: src/lib/crypto/old/old_decrypt.c
-===================================================================
--- src/lib/crypto/old/old_decrypt.c	(revision 23398)
-+++ src/lib/crypto/old/old_decrypt.c	(working copy)
-@@ -45,8 +45,10 @@
-     blocksize = enc->block_size;
-     hashsize = hash->hashsize;
- 
-+    /* Verify input and output lengths. */
-+    if (input->length < blocksize + hashsize || input->length % blocksize != 0)
-+	return(KRB5_BAD_MSIZE);
-     plainsize = input->length - blocksize - hashsize;
-
-     if (arg_output->length < plainsize)
- 	return(KRB5_BAD_MSIZE);
-