| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
ticket: 7861
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests. Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.
[tlyu@mit.edu: style, comments, and commit message]
ticket: 7856 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
| |
When t_stringattr.c was introduced, it wasn't added to EXTRADEPSRCS,
so no dependencies were created for it. Fix that now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.
ticket: 7862
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
| |
Call krb5_get_default_realm instead of directly accessing
context->default_realm, to remove the requirement that
krb5_get_default_realm or krb5_set_default_realm be used before
krb5_db_open.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context. The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.
ticket: 7858
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
| |
ulog_get_entries does not access the KDB, only the ulog, so it does
not need a KDB lock; its read lock on the ulog is sufficient to
prevent logged updates from happening while it is running. There is
no reason to serialize against unlogged KDB updates such as those
performed by the KDC, as those do not affect the ulog.
|
|
|
|
|
|
|
| |
Always map the ulog with FKCOMMAND, not FKLOAD which reinitializes the
ulog. Don't reinitialize the ulog until just before calling
krb5_db_promote(). Get rid of FKLOAD since it isn't needed any more;
we can just call ulog_init_header() manually.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Don't use "extern" for kdb_log.h prototypes.
* Avoid passing structures by value.
* Avoid the need to cast the result of the INDEX macro, and use char *
instead of unsigned long for pointer arithmetic.
* Reorganize kdb_log.c so static helpers are at the top and don't use
the "ulog_" prefix.
* Get rid of ulog_finish_update_slave since it's more concise to
open-code it in ulog_replay.
* Get rid of ulog_delete_update. In krb5_db_delete_principal, just
call ulog_add_update with kdb_deleted set in upd.
* Modernize coding style of kproplog.c. Use k5memdup0 instead of
snprintf in print_str to convert a byte range to a C string.
Remove an unnecesary textdomain call; libkrb5 takes care of calling
bindtextdomain in the library initializer.
* Modernize coding style of kpropd.c and kprop.c.
No functional changes.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a process terminates in the middle of a logged database update, it
will release its lock and leave the ulog in the KDB_UNSTABLE state.
kadmind should notice this when it calls ulog_get_entries, but right
now it only checks for the KDB_CORRUPT state (which is never set any
more) and does not recover. Check for any state other than KDB_STABLE
and recover by resetting the ulog and forcing full resyncs to slaves.
ticket: 7853 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
| |
Add a unit test program named t_ulog. Make it map a ulog file, set up
header state where kdb_last_sno is the last serial number, and then
add an empty update. Check that the result is a ulog header with one
update at serial number 1.
ticket: 7839
|
|
|
|
|
|
|
|
|
|
|
| |
When we wrap the serial number, reinitialize the ulog so that kdb_num
starts counting from 1, instead of leaving the ulog in a weird state
where kdb_num == ulogentries but kdb_last_sno == 1 and the serial
numbers in the circular array aren't necessarily contiguous.
ticket: 7839 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
| |
Nobody is likely to ever ask for zero bytes of output from
gss_pseudo_random, but if they do, just return an empty buffer without
allocating. Otherwise we leak memory because gss_release_buffer
doesn't do anything to buffers with length 0.
ticket: 7838 (new)
|
|
|
|
|
|
|
|
|
| |
There is no reason to deny a zero-length cred store, so don't check
for it in val_acq_cred_args or val_add_cred_args.
ticket: 7836 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
| |
The "rcache" cred store entry can specify a replay cache type and name
to be used with the credentials being acquired.
[ghudson@mit.edu: split up, simplified, and altered to fit preparatory
commits]
ticket: 7819 (new)
|
|
|
|
|
|
|
|
|
| |
The error handler in acquire_cred_context didn't release the rcache,
which would cause it to leak if we failed after acquire_accept_cred.
ticket: 7818 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
| |
Use a cleanup handler instead of releasing kt in multiple error
clauses. Wrap a long line and fix a comment with a missing word.
Rewrap the function arguments to use fewer lines.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.
ticket: 7820
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
| |
RFCs 2743 and 4121 recommend that implementations produce empty tokens
from gss_delete_sec_context, and trying to produce one can cause
gss_delete_sec_context to fail on a partially established context.
Patch from Tomas Kuthan.
ticket: 7816 (new)
|
|
|
|
|
| |
Items in .data other than shuffle_mask are unused; delete them.
Delete the unused macro load_and_inc4. Move shuffle_mask to .rodata.
|
|
|
|
|
|
|
|
|
|
| |
Use PC-relative addressing to avoid runtime text relocations on i386.
Adapted patch from Nalin Dahyabhai.
ticket: 7815
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
| |
If the session keyring matches the user session keyring, write
explicitly to the user session keyring. Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.
ticket: 7814
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
| |
Use various standard C library functions rather than rolling our own.
Previous code spent many lines reimplementing realloc(), strpbrk(),
strtok_r(), etc.
Make a separate string_to_keysalt() parser for an individual keysalt
pair, which for now is private and destructive.
|
|
|
|
|
|
|
|
|
|
| |
Make krb5_string_to_keysalts() default to only ":" as a key:salt
separator character. Change most of its callers to pass NULL so they
get the default separators.
Adapted from a patch proposed by Jon Looney.
ticket: 884
|
|
|
|
|
|
|
|
| |
krb5_string_to_keysalts() treats an empty salt field as -1 ("ignore"),
rather than as the normal salttype. Default to normal instead, so
that omitting a salttype works as expected.
ticket: 6042
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some Linux systems now come with facilities to mark the stack as
non-executable, making it more difficult to exploit buffer overrun
bugs. For this to work, object files built from assembly need a
section added to note whether they require an executable stack.
Patch from Dhiru Kholia with comments added. More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
ticket: 7813
target_version: 1.12.1
tags: pullup
|
|
|
|
| |
ticket: 7800
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name. Fix this as follows:
Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss(). Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present). For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.
ticket: 7800
|
|
|
|
|
|
|
|
|
|
|
| |
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter(). The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.
Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
|
| |
|
|
|
|
|
|
|
|
|
| |
keyctl purge was added in keyutils 1.5 (released in March 2011). Use
keyctl unlink to clean up keys instead, as it is more universal.
ticket: 7810
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.
[ghudson: removed unnecessary check for d->name nullity.]
ticket: 7809
target_version: 1.12.1
tags: pullup
|
|
|
|
| |
Missing $
|
|
|
|
|
|
|
|
| |
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
ticket: 7807
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
ticket: 7807 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
ticket: 7045
target_version: 1.12.1
tags: pullup
|
|
|
|
|
| |
The vtbl and locate_fptrs fields were ostensibly related to the locate
pluggable interface, but weren't actually used.
|
|
|
|
|
|
|
|
|
|
|
|
| |
For a long time we have allowed krb5 contexts to be initialized in the
absence of krb5.conf--but only if KRB5_DNS_LOOKUP is defined,
presumably on the theory that no KDCs could be contacted without
either DNS support or profile configuration. But locate plugins could
provide the ability to find KDCs, and some libkrb5 operations (such as
IAKERB initiation) could succeed without needing to locate KDCs.
Also get rid of the profile_in_memory context flag, since we don't use
it any more.
|
|
|
|
|
|
|
|
|
|
|
|
| |
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
ticket: 7805
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
[ghudson@mit.edu: clarified commit message]
ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
| |
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function. We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it. Reported by
simo@redhat.com.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
|
|
|
|
|
|
|
|
|
| |
MSSQLSvc principal names can contain a ":port" or ":instance" trailer
on the hostname part. If we see that in the hostname argument of
krb5_sname_to_principal(), remove it before canonicalizing the
hostname and put it back on afterwards.
ticket: 7795 (new)
|
|
|
|
|
| |
Refactor and edit sn2princ.c to match current coding style. No
behavior changes, except to be less chatty in trace logs.
|
| |
|
|
|
|
|
|
|
| |
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).
ticket: 7794 (new)
|
|
|
|
|
|
|
|
|
|
|
| |
When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.
ticket: 7791
target_version: 1.11.5
tags: pullup
|
|
|
|
|
|
| |
Add another blank line before section headers. Avoid contractions.
Change some whiches to thats where it seems appropriate. Fix some
missing or extra words.
|