| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
|
| |
|
|
|
|
|
|
| |
Not really: only when the KDB backend lacks a delete method. Still.
ticket: 7403
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a kdb5_util load gets killed between rename()ing the new KDB file
into place and resetting the iprop ulog then the ulog can reflect the
pre-load state, which will almost certainly be incorrect.
This matters because we want to impose a timeout on full resyncs in
kpropd when iprop dictates that a full resync is needed, and the
simplest timeout scheme involves signaling the kdb5_util load process.
But also, we want no such races in general.
The fix is simple: re-initialize the ulog before renaming the new KDB
file into place, then proceed as usual. If the ulog is not properly
updated at the end of the load it will at least always result in
subsequent iprop get updates operations always indicating that a full
resync is required.
ticket: 7399
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently kadmind allows slaves to poll for updates as often as they
like, but not within 10s of the last update. This means that iprop will
appear to fail to synchronize the KDC at any site whose master KDC
processes at least one write transaction every 10 seconds consistently.
The original intention must have been to throttle iprop clients (slave
KDCs) that poll too often. But UPDATE_BUSY as implemented is not that,
and implementing a throttle would be difficult (requires keeping state
in a table) and mostly useless (admins can manage their poll timers just
fine without a throttle in kadmind).
ticket: 7369
|
|
|
|
|
|
|
|
|
|
|
| |
If a master KDC uses only a 64-bit libkadm5srv then there is no reason
to impose any limit on ulog size: the practical maximum will be given by
the filesystem and available storage space.
Even when using a 32-bit libkadm5srv the maximum practical ulog size
will be found easily enough when mmap() fails.
ticket: 7368
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use a global dump (the default dump file) for full syncs for iprop.
When a slave asks for a fullsync we kprop the existing global dump to it
if that is good enough, else we dump the DB and send the new global
dump.
Before this change kadmind would run kdb5_util dump -i... each time a
slave asked for a full dump. This was done in a sub-process,
thankfully, but it was still a waste of time and storage (e.g., if one
has a huge KDB).
Also, long dump times might cause a slave to give up (the timeout for
this is now configurable). But since iprop dumps bear a serial number
and timestamp and since slaves will resync from that point forward, it
doesn't matter if the dump we send a slave is fresh as long as it is
fresh enough (i.e., that its sno and timestamp are in the ulog).
Also:
- Rename dumps into place instead of unlink, create, write (but we
still keep the dump ok files as lock files and as a method of
signaling to kprop that the dump is complete).
ticket: 7371
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Make kpropd in iprop mode fork a child to listen for kprops from the
master. The child writes progress and outcome reports to the parent
for each kprop. This fixes a race between asking for a full resync
and setting up a listener socket for it.
- Add runonce (-t) for kpropd do_standalone() too.
- Add a new iprop parameter: iprop_resync_timeout. kpropd will keep
asking for incremental updates while waiting for a full resync to
finish, and will re-request a full resync if kadmind continues to
indicate that one is needed after this timeout passes since the
previous full resync was requested.
- Allow polling intervals less than 10 seconds.
[ghudson@mit.edu: split out debug output changes; note polling interval
change in commit message]
ticket: 7373
|
|
|
|
|
|
|
|
|
|
|
| |
RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02. So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.
[ghudson@mit.edu: expanded commit message]
ticket: 7400 (new)
|
|
|
|
|
|
|
|
|
|
| |
An interposer mech needs to be able to handle multiple mechanisms.
When importing a mech token for a name, cred, or context, the
interposer mech needs to know the mech type of the token being
imported. To make this work, add SPI calls which accept a mech type
argument.
[ghudson@mit.edu: Stylistic changes, commit squashing, commit message]
|
|
|
|
|
|
|
|
|
|
| |
Wherever a GSSAPI mechglue function accepts a mech OID from the
caller, use gssint_select_mech_type() to choose the mechanism to use.
Wherever a mechglue function outputs a mech OID to the caller, use
gssint_get_public_oid() or gssint_make_public_oid_set() to expose the
public mech OID.
[ghudson@mit.edu: Stylistic changes, commit squashing, commit message]
|
|
|
|
|
|
|
|
|
|
| |
Add gssint_select_mechanism() to determine what mechanism to use for a
caller-specified OID, gssint_get_public_oid() to determine what
mechanism to expose to the caller, and gssint_make_public_oid_set to
translate an array of mech OIDs into a set of public OIDs. In
gssint_get_mechanism(), match interposed OIDs as well as real ones.
[ghudson@mit.edu: Stylistic changes, commit squashing, commit message]
|
|
|
|
|
|
|
|
|
|
|
|
| |
Extend the syntax of the gss mech config file to allow a module type
delimited by triangle brackets. If the module type is "interposer",
flag the mechanism entry as being an interposer mechanism. A module
marked as an interposer is loaded immediately (so it can interpose a
built-in mechanism) and produces a list of OIDs to interpose.
Interposer mechanisms are not exposed to applications.
[ghudson@mit.edu: Stylistic changes, commit squashing, commit
message]
|
| |
|
|
|
|
|
| |
krb5_rc_resolve_full, krb5_rc_resolve_get_name, and
krb5_rc_resolve_get_type are also now used in the krb5 mech.
|
|
|
|
|
|
| |
krb5_rc_recover_or_initialize is not a public function, but is now
used by the krb5 mechanism when importing a credential. Mark it as
PRIVATE GSSAPI in the export list.
|
|
|
|
|
|
|
|
|
|
| |
It might have been safe to access the krb5 verifier cred without a
lock before constrained delegation, but it is less likely to be safe
now that we might access both the initiator and acceptor parts of the
cred. Hold a lock on the cred for the full accept_sec_context
operation.
ticket: 7366 (new)
|
|
|
|
|
|
|
|
|
| |
If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)
ticket: 7356
|
|
|
|
| |
Use helper functions to shorten and clarify loadConfigFile.
|
|
|
|
|
|
|
| |
Get rid of gssint_get_mechanisms, gssint_mech_to_oid, and
gssint_oid_to_mech, which constructed a list of mechanism names and
mapped between mech names and OIDs. These functions were only used by
gss_inquire_mechs_for_name, which now uses gss_indicate_mechs instead.
|
|
|
|
|
|
|
|
|
| |
Use gss_indicate_mechs instead of gssint_get_mechanisms and
gssint_mech_to_oid to iterate over the list of mechanism OIDs. Use a
static helper to determine whether a mech supports a name type,
avoiding most of the work done in the for loop. Use a cleanup
handler. Don't leave partial results in the output parameter on
error.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Failure handling during the postprocessing of
mech->gss_accept_sec_context was inconsistent. In one case we delete
the output token but leave the partly-constructed context present in
*context_handle (violating RFC 2744 if this is the first call); in
other cases we leave the output token in the caller's buffer but do
destroy the partly-constructed context. Make this more consistent by
always destroying the output token and partly-constructed context.
(RFC 2744 prefers, but does not require, leaving the
partly-constructed context present on error if it was present on
entry. At the moment we are ignoring that preference.)
[ghudson@mit.edu: Rewrote commit message with more details]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
ticket: 7353
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In the MSLSA cache, if we get back a zero-length ticket, don't
accept it as success; continue on to try and get an acceptable
ticket.
ticket: 7349 (new)
subject: SapGUI sometimes crashes on new session with MSLSA cache
target_version: 1.10.4
tags: pullup
|
|
|
|
| |
ticket: 7354
|
|
|
|
|
|
|
| |
Using the new internal JSON support to implement serialization and
unserialization of krb5 GSS credentials.
ticket: 7354
|
|
|
|
|
|
|
|
| |
Add gss_export_cred and gss_import_cred mechglue functions to
serialize and unserialize GSSAPI credential handles. Mechanism
implementations and tests will follow.
ticket: 7354 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add new APIs:
* krb5_get_init_creds_opt_set_responder
* krb5_responder_get_challenge
* krb5_responder_list_questions
* krb5_responder_set_answer
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
ticket: 7355 (new)
|
|
|
|
|
|
|
| |
25ee704e83c2c63d4b5ecd12ea31c1979239041e added three new public GSSAPI
functions; add them to the DLL export file.
ticket: 7217
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The upstream libverto depends on dynamic loading and in particular on
dladdr(), which is not universal. To avoid this dependency, stub out
support for module loading (by replacing module.c) and instead
integrate the k5ev module directly into the bundled verto library.
This change removes the need to link, include, and invoke libverto
differently depending on whether we're using the bundled library; we
can always just link with -lverto and call verto_default().
bigredbutton: whitespace
ticket: 7351 (new)
|
|
|
|
| |
ticket: 7347 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When using v4 file credentials caches, client clock skew offsets
obtained when running with the kdc_timesync option set are persisted in
the ccache. This allows the offsets to be used across separate contexts,
e.g. when obtaining credentials using krb5 interfaces and subsequently
importing those credentials for use in gssapi. This patch adds similar
support for memory credentials caches.
[ghudson@mit.edu: Minor style corrections.]
ticket: 7346 (new)
|
|
|
|
|
| |
The most recent commit to g_acquire_cred.c allocates an OID set to
pass to the mech, but never releases it. Fix that.
|
|
|
|
|
|
|
|
|
| |
We can't mix the KRB5 and CC error constants; standardize on the CC ones
and translate appropriately.
ticket: 7339 (new)
target_version: 1.10.4
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
It is not really clear this is correct, but neither was the
previous behavior.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7255 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We used to explicitly check if a process was UAC-limited and deny all
access to the TGT in that case; however, this makes the MSLSA cache
effectively useless.
Do not try to outsmart UAC, and let it do its own checking -- this allows
UAC-limited access to the MSLSA ccache, which should mean read-write
access to service tickets, and write-only access to the TGT.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
[kaduk@mit.edu: delete instead of comment out, move comment.]
ticket: 7254 (new)
queue: kfw
target_version: 1.10.4
tags: pullup
|
|
|
|
|
|
| |
unistd.h is not available on Windows and isn't needed for this file,
so don't include it. Two arguments to asprintf in choose_token() were
reversed.
|
|
|
|
|
|
|
|
|
|
|
| |
Only one mslsa ccache is supported, so switch_to is not needed.
Likewise, struct krb5int_lcc_iterator is unneccesary.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7236 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
| |
Fix minor typos in lib/krb5/krb/Makefile.in and
tests/gssapi/Makefile.in so that "make depend" will work.
|
|
|
|
|
|
|
| |
Implements the client side of RFC 6560. Not all features are
implemented, but it should work for the most common cases.
ticket: 7242 (new)
|
|
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
|
|
|
|
|
|
| |
k5buf_to_gss was used in only one place (generic_gss_oid_to_str),
where we want to include the terminating null byte in the GSS buffer.
Remove that assumption from the helper, and instead explicitly append
the null byte to the buffer before translating.
|
|
|
|
|
|
|
|
|
| |
If apply_keysalt_policy is called with null result arguments (as from
kadm5_setkey_principal_3), we would dereference a null pointer if the
principal has no policy or no policy allowed_keysalts field, due to an
incorrect optimization. Reported by Nico.
ticket: 7223
|
| |
|
|
|
|
|
|
|
| |
krb5_gss_export_name uses malloc to construct a gss_buffer_desc value,
and should use gssalloc_malloc instead.
ticket: 7233
|
|
|
|
|
|
|
| |
Use free() instead of gss_release_buffer() when freeing buffers in
libgssrpc which weren't constructed by GSSAPI. This mixing is
harmless in normal configurations (since libgssrpc is only used on
Unix), but fails with DEBUG_GSSALLOC.
|
|
|
|
|
|
|
|
|
| |
Fix some GSSAPI buffer allocations which were missed in
800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
ticket: 7233 (new)
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
Because the gssalloc macros are normally equivalent to malloc and free
on Unix, we cannot use the full test suite to find cases where we
allocate with malloc and free with gssalloc_free or vice versa.
Provide a way to test for this kind of bug (if only in a special build
configuration) by supporting a DEBUG_GSSALLOC symbol, which causes the
gssalloc wrappers to be deliberately incompatible with malloc and
free.
|