| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c,
combine it with krb5int_make_tgs_request_ext (which nothing else
called), and rename the combined function to k5_make_tgs_req. Also
use a typedef for the pacb callback.
|
| |
|
|
|
| |
Bring send_tgs.c up to date with current coding practices. No
functional changes.
|
| |
|
|
|
| |
Use a proper cipher state in the auth context structure, and free it
when the auth context is freed. Simplify mk_priv/rd_priv accordingly.
|
| |
|
|
| |
ticket: 7565 (new)
|
| |
|
|
|
|
|
|
|
|
| |
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
ticket: 7561
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
| |
ticket: 7553
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
| |
Check the ulog pointer, which is a little more direct, rather than the
ulogfd field. (ulogfd is currently initialized to 0 prior to
ulog_map; we could fix that instead, but this feels simpler.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The db2 DB is not power-fail safe. There's no point trying to
replay an incompletely committed entry from the ulog at kadmind
startup time. For that matter, even if the db2 DB was power-fail
safe there'd be no point replaying an uncommitted entry from the
ulog as the libkadm5srv app (nor any client of it, as in the case of
kadmind) will not have received any notice of success -- it'd be
wrong to complete that operation later when the user thought it'd
failed.
[ghudson@mit.edu: merge with master, adjust comment]
ticket: 7552 (new)
|
| |
|
|
|
|
|
|
| |
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
ticket: 7522
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
ticket: 7550 (new)
|
| |
|
|
|
| |
ulog_get_entries had an unreachable branch which was removed during
de-indentation.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a helper predicate to determine whether to log operations. In the
predicate, check if the ulog is actually mapped. Use a single cleanup
label in krb5_db_put_principal. Use a cleanup label in
krb5_db_delete_principal instead of releasing resources individually
at each exit point. Avoid locking and unlocking the ulog if we're not
logging (although it would be a no-op).
Based on a patch from Nico Williams <nico@cryptonector.com>.
|
| |
|
|
|
|
|
| |
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
|
| |
|
|
|
|
|
| |
krb5_realm_params is only consumed by the KDC (everything else uses
kadm5_config_params), so only needs to contain fields used by the KDC.
Get rid of everything else. Also get rid of realm_profile, which is
read in by KDC code but never used (and was never set anyway).
|
| |
|
|
|
|
| |
Get rid of K&R-style function headers, format code and comments
consistently according to current conventions, rename some variables
using idiomatic names, and de-indent some nested control blocks.
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
|
| |
|
|
|
|
|
|
|
|
|
| |
profile_get_values() cannot return success with an empty list of
values, so don't bother counting them. Return 0 from
locate_srv_conf_1 if no profile values exist and from
dns_locate_server if we decide not to make a SRV query. Adjust
k5_locate_server to match the new helper behavior, and return
KRB5_REALM_UNKNOWN if neither profile nor DNS come up with any answers
(not KRB5_REALM_CANT_RESOLVE, which doesn't make sense now that we're
deferring KDC hostname resolution).
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
| |
kadm5_create_policy and kadm5_modify_policy had _internal variants in
libkadm5srv (but not libkadm5clnt) which only existed to protect the
policy_refcnt field from modification over the wire. Now that
policy_refcnt is no longer used, we don't need the separation.
Bump the library soname since this is technically an ABI change.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
|
| |
|
|
|
| |
KRB5_CONF_ prefix should be used for the krb5/kdc.conf parameters.
Use KRB5_CC_CONF_ prefix for cache configuration variables.
|
| |
|
|
|
|
|
|
| |
When asserting that out has advanced the expected number of bytes in
generic_gss_str_to_oid, avoid adding to oid->elements, which is a void
pointer. Instead subtract from out and compare.
ticket: 7524
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct three cases where the wrong expression was checked to see if
an allocation function returned null.
[ghudson@mit.edu: commit message, patch splitting]
ticket: 7534
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
gssrpc raw services could not work because svcraw_create did not set
svcraw_private after allocating memory for it.
[ghudson@mit.edu: commit message, patch splitting]
ticket: 7534
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Neither function correctly handled OIDs whose second arc exceeds 47
(theoretically possible if the first arc is 2). gss_str_to_oid had
additional problems: it used scanf, it didn't consistently protect
against read overrun if the input buffer wasn't null-terminated, and
it could get confused by + or - characters in the first two arcs. Fix
gss_oid_to_str and rewrite gss_str_to_oid.
Also add a test program.
ticket: 7524 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Calls to gssint_mecherrmap_map_errcode would result in calling
mecherror_copy with a zero-length mech OID, which would result in an
OID with 0 for length and malloc(0) for elements. On platforms which
return non-null from malloc(0), gssint_mecherrmap_destroy() wouldn't
free the elements pointer.
Avoid calling malloc(0) and don't use the length field to decide
whether to free an elements pointer.
|
| |
|
|
|
|
|
|
|
|
|
| |
gss_str_to_oid wasn't outputting any bytes for a zero-valued arc. It
should output one byte with value 0.
[ghudson@mit.edu: commit message]
ticket: 7523 (new)
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
The final fallback for krb5_timestamp_to_sfstring() is an explicit
European date-order format string passed to sprintf(). This can be
confused with a conventional US date format. Because we attempt to
build a strftime() replacement anyway, and we try passing some
unambiguous ISO 8601 date and time formats to strftime(), remove this
final fallback.
ticket: 7518 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
krb5_timestamp_to_string() can produce ambiguous dates. The final
fallback, "%d/%m/%Y %R", contains a European order date format that
can be confused with a US date format. Add some additional strftime()
format strings, including locale-dependent formats and some ISO 8601
formats. Remove the hardcoded strftime() format that had an ambiguous
date order.
ticket: 7458
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The clpreauth rock had become a collection of alias pointers into the
init_creds context structure. Get rid of it and just pass the context
(suitably casted) to clpreauth modules. Simplify the signatures of
k5_preauth(), k5_preauth_tryagain(), process_pa_data(), and
fill_response_items() by referencing fields from the init_creds
context.
Since we can't use the non-nullity of rock->selected_preauth_type to
determine whether to record the selected preauth type, k5_preauth now
reports it in an output parameter, and get_in_tkt.c decides whether or
not to record it.
|
| |
|
|
|
|
|
| |
If the for loop never consults any preauth modules and must_preauth is
false, we might never set ret, so we need to initialize it. The bug
was introduced in 5c23bce0e8d3328bb36bc85ee10cfac486b8ae9b and is
detected by some versions of gcc with -O2.
|
| |
|
|
|
|
|
|
|
| |
clntraw_create has been broken since inception; on the first call, it
would compute invalid values of xdrs and client and dereference them.
Fix that. (This is pretty strong evidence that no one has ever used
it.) Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7511
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If we are responding to a KDC_ERR_PREAUTH_REQUIRED and cannot
preauthenticate, report the error from the first real preauth type we
tried.
k5_preauth() now accepts a boolean input indicating that it must
succeed on a real preauth type, instead of returning a boolean saying
whether or not it did.
ticket: 7517 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The preauth functions are internal to libkrb5, so use the k5_ prefix,
don't use KRB5_CALLCONV, and prototype them in int-proto.h. Also
remove krb5_do_preauth from the Unix libkrb5 export list.
Reorder the k5_preauth() and k5_preauth_tryagain() arguments for more
consistency with the clpreauth interface, and put the output padata
arguments at the end.
Rename any remaining uses of "kcontext" to "context" in preauth2.c.
|
| |
|
|
|
|
|
|
| |
With one exception (KRB5_PADATA_PKINIT_KX), every padata type
processed by a clpreauth module is now a real preauthentication type.
Reduce the amount of boilerplate required for a clpreauth module by
making the flags method optional if all of the preauth types
advertised by the module are real.
|
| |
|
|
|
|
|
|
| |
In preauth2.c, use wrapper functions for calls to clpreauth functions.
Get rid of the expanded-out module table, instead using a helper
function to find the handle for a preauth type. Replace use counts
with a list of previously processed pa types. Check for pa type
conflicts when loading clpreauth modules.
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
| |
In krb5_get_init_creds_password and krb5_get_init_creds_keytab, save
the extended error before retrying against the master KDC, and restore
that state if returning the error from the original request.
|
| | |
|
| |
|
|
|
|
|
| |
Fix style issues in kerrs.c and errors.c. Rename error handling
functions to use shorter k5_ prefix. Eliminate an inoperable
krb5int_set_error() call in gic_opte_alloc and convert the other
call to use krb5_set_error_message().
|
| |
|
|
|
|
|
|
|
|
|
| |
If a question's challenge is NULL, it is unnecessarily difficult for a
responder callback to detect whether it was asked. So it's better to
use an empty challenge when there is no challenge data to communicate.
Do this for the "password" question.
ticket: 7499 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7488
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add entries to OBJS and SRCS as well as STLIBOBJS.
Use KRB5_CALLCONV at function definition as well as declaration.
Declare missing variable in _WIN32-conditional code.
ticket: 7479 (new)
tags: pullup
target_version: 1.11
|
| |
|
|
|
|
|
|
| |
Since r25120, kill_conn() has been responsible for closing and
invalidating conn->fd. In the unlikely event that the KDC sends a TCP
response to us before we send a TCP request, we were cleaning up the
socket again, which is useless (though also harmless). Get rid of
that code.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the second part of the first pass over the server list, we passed
the wrong list pointer to service_fds, causing it to see only a subset
of the server entries corresponding to sel_state. This could cause
service_fds to spin if an event is reported on an fd not in the
subset.
ticket: 7454
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
| |
Fix memory leak.
ticket: 7457
tags: pullup
target_version: 1.11
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Our doxygen-to-sphinx documentation bridge only processes typedefs
and not structure definitions, since we almost universally use
typedefs for our data structures. krb5_trace_info is the sole
exception, so bring it into the fold.
While here, flesh out the comment a bit more.
ticket: 7447
tags: pullup
target_version: 1.11
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The trace messages in krb5int_clean_hostname were outputting the
entire contents of the output buffer (mostly uninitialized garbage)
into the trace log. Since these messages were essentially redundant
with messages in the callers, and were arguably at too low of a level
to begin with, simply remove them.
ticket: 7459 (new)
target_version: 1.11
tags: pullup
|
| | |
|
