| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Once finished, this module is supposed to just reenter into gssapi.
|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| |
|
|
|
|
| |
This extension makes it possible for an interposer to know which
interposed mechanism the mechglue intended to use when multiple
mechanisms are being interposed by the same plugin.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pick the right set of OIDs to use in mechglue functions.
We have 3 oids to care for:
The desired/requested oid, it can be a valid oid or a special interposer oid
used to avoid looping back to an interposer plugin when the interposer wants to
access a local mechanism.
The selected_oid, that is the actual oid of the mechanism we are going to use,
it could be an interposer oid.
The public oid, which normally is the same as the desired/requested oid except
when a special interposer oid is used by an interposer.
FIXME: Set the right mech_type on contexts
- issue with accept_sec_context, how to fallback to local mechanism ?
- may need to use magic fallback error
|
| |
|
|
|
|
|
|
| |
Special care needs to be taken to avoid returning special interposer plugin
OIDs to user applications.
The public OID is the OID that should be returned to users of the GSSAPI.
This is not the same as the internal OID which could be a special interposer
plugin OID.
|
| |
|
|
|
|
|
| |
This is needed since gssint_get_mechanism(NULL) now can return an interposer
mechanism, and then mech->mech_type will not point to the right mechanism
type, but to the interposer plugin OID. Also for special interposer OIDs we
need to use the real mechanism type when the passed in oid is special.
|
| |
|
|
|
|
| |
This function is used to return te reply for gss_indicate_mechs(), and we do
not want applications to see interposer mechs, they should never be exposed
directly to apps.
|
| |
|
|
|
|
| |
Also initialialize any interposer plugin as soon as configuration is
loaded from the file. This is to insure interposer are configured
before actual mechanisms they may want to interpose are.
|
| | |
|
| | |
|
| |
|
|
|
| |
This function wasn't used anywhere. Also remove the declaration for
osa_adb_close_policy(), which doesn't exist.
|
| |
|
|
|
|
|
|
| |
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This installer option determines whether the -autoinit argument
is passed to the MIT Kerberos executable.
On startup, if this argument is passed, and if there are no tickets
in the default cache, and if no useful tickets can be imported from
the LSA cache, MIT Kerberos will open the get ticket dialog and prompt
for a password; this option does not appear to have any other effect.
ticket: 7357 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| | |
|
| |
|
|
|
|
| |
Test the fix for https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
Also test that krb5kdc can return svc unavailable
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
Additionally, we don't really need or want to use non-blocking locks,
and we certainly don't want to sleep(1) in krb5kdc (possibly several
times, as there was a loop over this) when either of the principal or
policy DB is locked. Some callers still request non-blocking locks,
and ctx_lock() still honors this.
ticket: 7360 (new)
|
| |
|
|
|
|
|
|
|
|
| |
We don't really need or want to use non-blocking locks, and we certainly
don't want to sleep(1) in krb5kdc (possibly several times, as there was
a loop over this) when either of the principal or policy DB is locked.
Some callers still request non-blocking locks, and ctx_lock() still
honors this.
ticket: 7359 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
ticket: 7358 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
ticket: 7353
target_version: 1.10.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
In the MSLSA cache, if we get back a zero-length ticket, don't
accept it as success; continue on to try and get an acceptable
ticket.
ticket: 7349 (new)
subject: SapGUI sometimes crashes on new session with MSLSA cache
target_version: 1.10.4
tags: pullup
|
| | |
|
| |
|
|
| |
ticket: 7354
|
| |
|
|
| |
ticket: 7354
|
| |
|
|
|
|
|
| |
Using the new internal JSON support to implement serialization and
unserialization of krb5 GSS credentials.
ticket: 7354
|
| |
|
|
|
|
|
|
| |
Add gss_export_cred and gss_import_cred mechglue functions to
serialize and unserialize GSSAPI credential handles. Mechanism
implementations and tests will follow.
ticket: 7354 (new)
|
| |
|
|
| |
Add JSON support based loosely on Heimdal's heimbase code.
|
| |
|
|
| |
Add base64 support based on Heimdal's libroken base64 code.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
| |
|
|
|
|
|
| |
25ee704e83c2c63d4b5ecd12ea31c1979239041e added three new public GSSAPI
functions; add them to the DLL export file.
ticket: 7217
|
| |
|
|
|
|
| |
Since zapfree(str, strlen(str)) won't work for possibly-null values of
str, add a helper zapfreestr() which only calls strlen() if the string
value is non-null.
|
| |
|
|
|
|
|
|
|
|
|
| |
The file 'checkbox blank.png' is unneeded and contains a space in the
name, unnecessarily interfering with running find | xargs over the
source tree. Remove it.
ticket: 7352 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
| |
When the rules from util/k5ev/Makefile.in were moved to
util/verto/Makefile.in, the rule to make rename.h was broken on
non-gmake makes because the definition of SED wasn't carried over.
Define it now.
|
| |
|
|
|
|
|
|
|
| |
For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC
4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test
encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and
PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo
are renamed, as asn1c otherwise rejects them as conflicting with the
RFC 4556 definitions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream libverto depends on dynamic loading and in particular on
dladdr(), which is not universal. To avoid this dependency, stub out
support for module loading (by replacing module.c) and instead
integrate the k5ev module directly into the bundled verto library.
This change removes the need to link, include, and invoke libverto
differently depending on whether we're using the bundled library; we
can always just link with -lverto and call verto_default().
bigredbutton: whitespace
ticket: 7351 (new)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We already define EV_USE_REALTIME to 0 to avoid the use of
clock_gettime() (to avoid depending on librt). But in some build
environments libev can detect support for a monotonic clock, which
also results in using clock_gettime(). Define EV_USE_MONOTONIC to 0
as well to prevent this.
ticket: 7350 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since the Start Menu and Desktop are different folders, we should
use different components for the shortcuts in those folders, given
that components operate at directory granularity.
Take the opportunity to use the newer style for installing shortcuts
and registry keys, and make the names more descriptive.
Increment the buildlevel to ensure new files are installed.
ticket: 7348 (new)
subject: Use more meaningfully named registry keys for shortcuts
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
| |
ticket: 7347 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When using v4 file credentials caches, client clock skew offsets
obtained when running with the kdc_timesync option set are persisted in
the ccache. This allows the offsets to be used across separate contexts,
e.g. when obtaining credentials using krb5 interfaces and subsequently
importing those credentials for use in gssapi. This patch adds similar
support for memory credentials caches.
[ghudson@mit.edu: Minor style corrections.]
ticket: 7346 (new)
|
| |
|
|
|
| |
The most recent commit to g_acquire_cred.c allocates an OID set to
pass to the mech, but never releases it. Fix that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
These printfs spew to the console when command-line utilities
such as 'klist' and 'aklog' are run, reducing usability.
These printfs can also cause application hangs.
On a multiprocessor machine, when PuTTY and the ccapiserver are
running on different CPUs, PuTTY appears to deadlock with three
concurrent threads inside cci_debug_printf().
ticket: 7342 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7341 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7237
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Allocate thread-local storage on demand; don't rely on
the DLL_THREAD_ATTACH case in DllMain() since pre-existing
threads will never execute that code.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7340 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
We can't mix the KRB5 and CC error constants; standardize on the CC ones
and translate appropriately.
ticket: 7339 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7338 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The InstallValidate action of the windows installer will bring up
a dialog informing us that some currently running processes must
be terminated before installation may proceed, and offers to do so,
but does not actually kill the processes. We have our own code to
kill running processes which did not execute, for two reasons:
it was sequenced after InstallValidate, and we did not have a current
list of processes to look for.
Add the right processes to look for and kill, and use our own
process-killing code since it actually works.
ticket: 7343 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
