| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Move the remaining internal functions from hst_realm.c to hostrealm.c,
and get rid of hst_realm.c.
ticket: 7687
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
| |
ticket: 7687 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since
3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
ticket: 7691 (new)
|
| |
|
|
|
|
|
| |
This routine is now used in the gssapi library and must be exported
as such.
ticket: 7688
|
| |
|
|
|
| |
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
|
| |
|
|
|
|
| |
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The acceptor implementation of gss_krb5_set_allowable_enctypes (added
in 1.9.1) is intended to restrict the acceptor subkey negotiated by
krb5_rd_req(). It uses the same approach as the initiator, calling
krb5_set_default_tgs_enctypes on the context. This has the unwanted
side effect of restricting the encryption key of the ticket, because
krb5_decrypt_tkt_part has checked krb5_is_permitted_enctype on the
ticket encryption key since 1.8.
Instead, use krb5_auth_con_setpermetypes on the auth context. This
list is only used for session key enctype negotiation. Also add
automated tests to verify that gss_krb5_set_allowable_enctypes works
as desired.
ticket: 7688 (new)
target_version: 1.11.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
| |
The credential serialization functions do not operate on a ccache, so
do not need it as an argument.
[ghudson@mit.edu: clarified commit message, rewrapped shortened lines]
|
| |
|
|
| |
Based on a patch from simo@redhat.com.
|
| |
|
|
|
|
|
| |
The commented code in question is present in set_conn_state_msg_length
which is called immediately after the comments.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This field is redundant with addr.type.
[ghudson@mit.edu: removed extraneous changes; clarified commit
message]
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the import/export credential feature was implement the related
functions were added to struct gss_config, but the initialization
function that dynamically loads modules was not changed to see if
the plugin being loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom import/export credential extensions if they wish.
ticket: 7682
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When the credential store feature was implement the related functions
were added to struct gss_config, but the initialization function that
dynamically loads modules was not changed to see if the plugin being
loaded provided such functions.
This will allow non-builtin mechanism and interposer mechanism to
implement custom credential store extensions if they wish.
ticket: 7682
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
| |
|
|
|
|
|
|
|
| |
Add kadmin support for "addprinc -nokey", which creates a principal
with no keys, and "purgekeys -all", which deletes all keys from a
principal. The KDC was modified by #7630 to support principals
without keys.
ticket: 7679 (new)
|
| |
|
|
|
|
|
|
| |
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL. Where we use malloc, use k5calloc
instead. Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
|
| |
|
|
|
|
|
|
| |
We've never used sigwait() before, and it has some problems on Solaris
10 (a nonconformant prototype by default, and experimentally it didn't
seem to work correctly with _POSIX_PTHREAD_SEMANTICS defined). Use a
pipe instead. Make t_daemon.py less chatty on stdout to avoid filling
the pipe buffer.
|
| |
|
|
|
| |
Use unsigned char for test encodings, since the initializers use
values greater than 127.
|
| |
|
|
|
| |
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
| |
|
|
|
|
|
|
| |
The new library libkrad provides code for the parsing of RADIUS packets
as well as client implementation based around libverto. This library
should be considered unstable.
ticket: 7678 (new)
|
| |
|
|
|
| |
The previous few commits introduced a couple of bugs where variables
could be used without being initialized. Fix them.
|
| |
|
|
|
|
|
| |
Register built-in localauth modules in the order we want them used by
default, and document accordingly.
ticket: 7665
|
| |
|
|
|
|
|
|
| |
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.
ticket: 7665 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the k5_sendto code for reading from a TCP socket, detect
end-of-stream when reading the length. Otherwise we can get stuck in
an infinite loop of poll() and read().
[ghudson@mit.edu: commit message]
ticket: 7508
target_version: 1.11.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calculate request timestamps each time we encode a request, and use
the adjusted current time when calculating them, including adjustments
resulting from preauth-required errors early in the AS exchange.
As a side effect, this reverts one of the changes in commit
37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
use the time adjustment from any ccache we read before the AS
exchange, if we don't have a more specific adjustment from a
preauth-required error.
Based on a patch from Stef Walter.
ticket: 7657 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create helper functions to set the request nonce and to set the
request timestamp. Don't bother picking a nonce in
restart_init_creds_loop since we will just pick a new one in
init_creds_step_request. Create a library-internal function to get
the current time with possible adjustment from a preauth-required
error. Only set ctx->request_time in one place (just before encoding
each request). Remove unused parameters from stash_as_reply.
Partially based on a patch from Stef Walter.
|
| |
|
|
|
|
|
|
|
|
| |
Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
clock skew caused by preauth delay by recording the time of the
initial request. However, it failed to take into account delay
between requests due to prompting during preauthentication. Fix this
by recording the request time for each request.
ticket: 7656 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.
ticket: 7650
|
| |
|
|
|
|
|
| |
Commit 4b0985f8573840838bcfa8ec1df3dcd39a3dbf15 went a bit too far in
pruning the placeholder makefiles for the openssl and nss crypto
modules. We need enough boilerplate to create OBJS.SH in each
directory.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.
Remove the kadm5 test which explicitly uses an empty password.
Based on a patch from Stef Walter.
ticket: 7642
|
| |
|
|
|
|
|
| |
If yasm and cpuid.h are present on a Linux i686 or x64 system, compile
the modified Intel AES-NI assembly sources. In the builtin AES enc
provider, check at runtime whether the CPU supports AES-NI
instructions and use the assembly functions if so.
|
| |
|
|
|
| |
Remove functions we don't need. Add macros to redefine functions with
an appropriate namespace prefix.
|
| |
|
|
|
|
| |
Add assembly files from the Intel AESNI Sample Library, version 1.2,
which implement AES encryption using AES-NI instructions. Trailing
whitespace was removed.
|
| |
|
|
|
|
|
| |
In preparation for AES-NI support, adjust the block encryption helpers
in the AES enc provider so that the cache is only touched by helpers,
and reframe the CTS operations in terms of CBC operations. Change the
Camellia enc provider as well for consistency.
|
| |
|
|
|
|
|
|
| |
Expand the concept of an IOV block state into a cursor which remembers
the IOV set being iterated over, the block size, and both input and
output positions. Eliminate the no-copy inline block getter for now,
but provide helpers to grab contiguous chains of blocks from a cursor.
Also provide an inline helper to sum the total length of an iov chain.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
ticket: 7639
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Create macros to declare a DNS search handle, initialize a handle,
perform a search, and destroy a handle. On OS X, use the native
dns_open, dns_search, and dns_free functions, since using the res_*
interfaces may not contact the correct servers. On systems with
res_ninit, use res_nclose if we don't have res_ndestroy.
Based on a patch by Nate Rosenblum.
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
|
| |
Catch a few stragglers that missed the memo that k5_mutex_lock
cannot fail, and sprinkle some cc-int.h as needed.
|
| |
|
|
|
| |
Adjust a stray k5_mutex_lock invocation in the NSS crypto back end
after 6350fd0c909d84c00200885e722cc902049ada05.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage. A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.
Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites. Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building for IOS targets with clang, the stdbool.h header is
included by default. This header includes the following C99
definition:
#define bool _Bool
which wrecks havoc with the DEFBOOLTYPE macro.
ticket: 7525
|
| |
|
|
|
|
|
|
|
|
|
| |
Symbols from the NTT Camellia sources, used in the builtin crypto
provider, could conflict with symbols from other libraries such as
OpenSSL's libcrypto. Rename those like we rename the Gladman AES
symbols.
ticket: 7626
target_version: 1.11.3
tags: pullup
|
| |
|
|
| |
ticket: 7634
|
| |
|
|
|
| |
The mechglue definitions of gssint_get_der_length and friends use
unsigned int for the buffer length, not OM_uint32.
|
| |
|
|
| |
ticket: 7628
|
| |
|
|
|
|
|
|
| |
On many Linux systems, due to what is arguably a bug in rpcbind, the
portmapper doesn't allow service registration from non-root processes.
This causes the RPC tests to be frequently skipped. Modify the tests
so that they don't need the portmapper, by grabbing the port number
from the server process and passing it to the client.
|
