krb5.git/src/plugins, branch master-mechdconf Unnamed repository; edit this file 'description' to name the repository. Use anonymous OIDs in pkinit_crypto_openssl.c 2014-03-25T21:53:00+00:00 Greg Hudson ghudson@mit.edu 2014-03-25T02:42:02+00:00 6b9e570a7e98470b806a26c5119e53b2145e2586 Stop adding OIDs to the global OpenSSL table. It isn't thread-safe (even with locking callbacks registered), and calling OBJ_cleanup could break other uses of OpenSSL. Instead, use anonymous OIDs created with OBJ_txt2oid. Anonymous OIDs need to be managed more careful to avoid double-freeing, so create a copy before calling PKCS7_add_signed_attribute, and don't free the result of pkinit_pkcs7type2oid in cms_contentinfo_create. ticket: 7889 
Stop adding OIDs to the global OpenSSL table.  It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL.  Instead, use anonymous OIDs
created with OBJ_txt2oid.  Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.

ticket: 7889
Stop shadowing id-pkcs7-data OID 2014-03-25T21:52:59+00:00 Greg Hudson ghudson@mit.edu 2014-03-24T22:26:50+00:00 8ee1790ba6e3468d7ed53ed46123dc9545a4216f pkinit_crypto_openssl.c currently creates a shadow entry for id-pkcs7-data so that OpenSSL will expect to see the corresponding octet string in d.other instead than d.data. This shadowing is very unfriendly to other uses of OpenSSL and we should stop. Eliminate the shadowing and rewrite create_contentinfo so that it sets up the PKCS7 object correctly if the OID is id-pkcs7-data. ticket: 7889 
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data.  This shadowing is very
unfriendly to other uses of OpenSSL and we should stop.  Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.

ticket: 7889
Improve PKINIT client memory management 2014-03-18T17:01:13+00:00 Greg Hudson ghudson@mit.edu 2014-03-14T16:53:50+00:00 3c14324baffdc1848f75924deaf69e43f30e6621 In pkinit_as_req_create, create and encode stack-allocated auth-pack structures containing only alias pointers, instead of heap-allocated structures containing a mix of alias pointers, owner pointers, and appropriated caller memory. Keep everything we temporarily allocate in separate local variables and free them through those variables. In pa_pkinit_gen_req, use safer memory practices to avoid problems like issue #7878. Free the checksum since pkinit_as_req_create no longer takes ownership it. Remove a broken overly defensive check after calling pkinit_as_req_create. Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are no longer required. 
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory.  Keep everything we temporarily allocate
in separate local variables and free them through those variables.

In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878.  Free the checksum since pkinit_as_req_create no
longer takes ownership it.  Remove a broken overly defensive check
after calling pkinit_as_req_create.

Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
Fix unlikely double free in PKINIT client code 2014-03-18T17:01:13+00:00 Greg Hudson ghudson@mit.edu 2014-03-13T22:34:22+00:00 cc002d6c1ccfc08356d01ba83e72a46855d0302c In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero retval and non-null out_data, out_data is freed, then dereferenced, then freed again. This can only happen if one of the small fixed-size malloc requests fails after pkinit_as_req_create succeeds, so it is unlikely to occur in practice. ticket: 7878 (new) target_version: 1.12.2 tags: pullup 
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again.  This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.

ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
Conditionalize use of LDAP_OPT_DEBUG_LEVEL 2014-02-28T23:17:48+00:00 Greg Hudson ghudson@mit.edu 2014-02-28T15:17:29+00:00 0364d0da094be0fbf3a9a08b79b6e23eaaf0d2d7 The LDAP debug level option (#7551) causes a build failure with the Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL. ticket: 7870 (new) target_version: 1.12.2 tags: pullup 
The LDAP debug level option (#7551) causes a build failure with the
Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL.

ticket: 7870 (new)
target_version: 1.12.2
tags: pullup
Assume <stdint.h> and fixed-width types 2014-02-26T21:15:19+00:00 Greg Hudson ghudson@mit.edu 2014-02-01T20:20:08+00:00 17e205070745e4712d40eed32d92d02edb47009f Make unconditional use of <stdint.h> and fixed-width types such as uint32_t. k5-plugin.h doesn't use any special integer types, so remove the conditional include block there. Nothing uses INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now. 
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t.  k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there.  Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
Use system dictionary for db2 tests again 2014-02-19T21:21:01+00:00 Greg Hudson ghudson@mit.edu 2014-02-18T06:14:01+00:00 dba768e873d3ae34cfb2ff9d9c2d3644981f23a5 The built-in word list is not long enough for all of the libdb2 tests to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and go back to using the system dictionary if we find one. However, omit any lines from the chosen word list which contain non-alphabetical characters. ticket: 7860 
The built-in word list is not long enough for all of the libdb2 tests
to run properly.  Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one.  However, omit
any lines from the chosen word list which contain non-alphabetical
characters.

ticket: 7860
Use TAILQ macros instead of CIRCLEQ in libdb2 2014-02-19T21:21:01+00:00 Greg Hudson ghudson@mit.edu 2014-02-17T05:18:41+00:00 26d874412983c4c9979a9f5e7bec51834ad4cda5 The optimizer in gcc 4.8.1 (but not the current gcc head revision) breaks the queue.h CIRCLEQ macros, apparently due to an overzealous strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code instead. ticket: 7860 
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction.  Use TAILQ macros in the libdb2 mpool code
instead.

ticket: 7860
Don't use system dictionary files for DB2 tests 2014-02-12T04:07:21+00:00 Greg Hudson ghudson@mit.edu 2014-02-12T03:16:56+00:00 d21a86e47a7cda29225013e08d060095b94b2ee7 The system dictionary may contain entries with punctuation, which can confuse the shell. It's more predictable to always use the word list from the source tree. ticket: 7860 status: open 
The system dictionary may contain entries with punctuation, which can
confuse the shell.  It's more predictable to always use the word list
from the source tree.

ticket: 7860
status: open
Move OTP sockets to KDC_RUN_DIR 2014-02-06T21:17:27+00:00 Nathaniel McCallum npmccallum@redhat.com 2014-02-05T15:59:46+00:00 1e4bdcfed2c7bda94d5c135cc32a5993ca032501 Some system configurations expect Unix-domain sockets to live under /run or /var/run, and not other parts of /var where persistent application state lives. Define a new directory KDC_RUN_DIR using $runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run if it's not set) and use that for the default socket path. [ghudson@mit.edu: commit message, otp.rst formatting fix] ticket: 7859 (new) 
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives.  Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.

[ghudson@mit.edu: commit message, otp.rst formatting fix]

ticket: 7859 (new)