| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
| |
Implements the client side of RFC 6560. Not all features are
implemented, but it should work for the most common cases.
ticket: 7242 (new)
|
| |
|
|
|
|
|
| |
Add encoders and decoders for the OTP-TOKENINFO, PA-OTP-CHALLENGE,
PA-OTP-REQUEST, and PA-OTP-ENC-REQUEST types from RFC 6560. For more
thorough testing, add support for generating test encodings using
asn1c for sample objects (currently only for the OTP types).
|
| |
|
|
|
|
|
| |
k5buf_to_gss was used in only one place (generic_gss_oid_to_str),
where we want to include the terminating null byte in the GSS buffer.
Remove that assumption from the helper, and instead explicitly append
the null byte to the buffer before translating.
|
| |
|
|
| |
Commit r21692 removed the KRB5_KDB_NON_MS_PRINCIPAL flag.
|
| |
|
|
|
|
|
|
|
| |
If apply_keysalt_policy is called with null result arguments (as from
kadm5_setkey_principal_3), we would dereference a null pointer if the
principal has no policy or no policy allowed_keysalts field, due to an
incorrect optimization. Reported by Nico.
ticket: 7223
|
| | |
|
| |
|
|
|
|
| |
gcc warnings that nametype may be used uninitialized, presumably
failing to deduce that usage() never returns. Initialize nametype to
make it build.
|
| |
|
|
|
| |
Exercise gss_export_name and importing of exported name tokens in
t_gssapi.py.
|
| |
|
|
|
|
|
| |
krb5_gss_export_name uses malloc to construct a gss_buffer_desc value,
and should use gssalloc_malloc instead.
ticket: 7233
|
| | |
|
| |
|
|
|
|
|
| |
Use free() instead of gss_release_buffer() when freeing the locally
allocated context_token in the sample gss-server program. Use
gssalloc_free() instead of free when freeing buffers in
t_kgss_kernel.c (where we can't use gss_release_buffer).
|
| |
|
|
|
|
|
| |
Use free() instead of gss_release_buffer() when freeing buffers in
libgssrpc which weren't constructed by GSSAPI. This mixing is
harmless in normal configurations (since libgssrpc is only used on
Unix), but fails with DEBUG_GSSALLOC.
|
| |
|
|
|
|
|
|
|
| |
Fix some GSSAPI buffer allocations which were missed in
800358b1790ef82710af0b6021c6ff2dca2b0de7: gss_export_sec_context,
gss_display_name, and IAKERB and SPNEGO token construction.
ticket: 7233 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Because the gssalloc macros are normally equivalent to malloc and free
on Unix, we cannot use the full test suite to find cases where we
allocate with malloc and free with gssalloc_free or vice versa.
Provide a way to test for this kind of bug (if only in a special build
configuration) by supporting a DEBUG_GSSALLOC symbol, which causes the
gssalloc wrappers to be deliberately incompatible with malloc and
free.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Now that we're doing a kind of deferred credential acquisition for
krb5, the behavior of gss_inquire_cred is a bit more subtle because
(per RFC 2743 section 2.1.4) we have to choose a credential cache or
acceptor name sooner than we would otherwise do so. Add a C program
to invoke gss_acquire_cred/gss_inquire_cred and some Python tests
using it.
|
| |
|
|
|
|
|
|
| |
This function did not serve any useful purpose. Remove it and the
special case it creates; move the only function it contained to the
main gss_mechanism structure where it belongs. Note that the function
name is preserved so that loadable modules are not affected by this
change.
|
| |
|
|
|
|
| |
ticket: 7231 (new)
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
| |
ticket: 7230 (new)
target_version: 1.10.3
tags: pullup
|
| |
|
|
|
|
|
| |
After 74beb75bb07e3921d10c8eec05eacb1f393e5e44, allocate_princ()
allocates a one-byte realm field even if the principal doesn't have
one, so if we're replacing it with the default realm, we need to free
that.
|
| |
|
|
|
|
|
| |
The library isn't attempting a replay attack on itself, so any detected
replays are only going to be false-positives.
ticket: 7229 (new)
|
| |
|
|
|
|
| |
This way the mechanism handler knows what mech type is intended.
This allows plugin that implement multiple mechanisms or interposer
plugins to know what they are being asked to do.
|
| |
|
|
|
|
|
|
| |
Follow previous change to add_cred_from.
The only case where the spnego gss_*_cred_* functions can be called
with specific OIDs is if the mechglue calls spnego with the spengo
oid, which we never want to loop on anyway. So always consider it as
null, it's the correct behavior with current semantics.
|
| | |
|
| |
|
|
|
|
|
| |
The only case where the spnego gss_aquire_cred function can be called
with specific OIDs is if the mechglue calls spenego with the spengo
oid, which we never want to loop on anyway. So always consider it as
null, it's the correct behavior with current semantics.
|
| |
|
|
|
|
| |
This allows us to still use it for type safety in the APIs while at
the same time prevent code from trying to dereference internal_ctx_id
by mistake.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't translate '0' (no error).
Handle WSAEAFNOSUPPORT and WSAEINVAL.
Add Posix->WSA translation.
Add default translation for unrecognized errors.
[ghudson@mit.edu: Merged with master and adjusted comments.]
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7228 (new)
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7227 (new)
tags: pullup
|
| |
|
|
|
|
|
| |
Change the default client keytab name, if not overridden at build
time, to FILE:$localstatedir/krb5/user/%{euid}/client.keytab.
Introduce a second file from the autoconf archives in order to
recursively expand $localstatedir within configure.in.
|
| |
|
|
|
|
|
|
|
| |
Tie up some loose ends in substitution of the default ccache/keytab
names after 688a2702d2045abf5f99acfb59f3f372391e5be4:
* Fix the substhtml target in src/doc/Makefile.in
* Don't add FILE: when substituting the default keytab and client
keytab names, as the defaults already have it.
|
| | |
|
| |
|
|
|
|
|
|
| |
For Unix-like platforms, add %{username} to the path expansion
facility, expanding to the result of getpwuid on the euid.
Also, for manual testing convenience, make t_expand_path print the
result if no second argument is given.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
* fscanf field widths must be less than the buffer size, not equal to
it.
* Check for negative values of lengths we're going to allocate.
* Eliminate a warning in the comparison of the regexp end offset.
* process_r1_8 policy doesn't actually ignore additional values, so
get rid of the comment and inequality test suggesting that it does.
ticket: 7224 (new)
|
| | |
|
| |
|
|
| |
ticket: 7223
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.
|
| |
|
|
|
| |
r18750 refactored some policy fetching code into populate_policy(),
and left the old code in #if 0 blocks. Get rid of those blocks now.
|
| |
|
|
|
|
|
| |
Corrections to stuff noticed by kaduk:
* Eliminate a space before paren in a call to free().
* Use %lu for unsigned long in format strings.
* Simplify the tokens table definition.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to
change the built-in ccache and keytab names.
* Add krb5-config options to display the built-in ccache and keytab
names.
* In the default build, use krb5-config to discover the system's
built-in ccache and keytab names and use them (if not overridden).
This can be controlled with the --with-krb5-config=PATH or
--without-krb5-config configure options.
* Make the built-in ccache name subject to parameter expansion.
ticket: 7221 (new)
|
| |
|
|
|
|
|
| |
Like default_keytab_name and default_client_keytab_name,
default_ccache_name is subject to parameter expansion.
ticket: 7220 (new)
|
| |
|
|
|
|
|
| |
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
|
| |
|
|
|
|
|
|
| |
Eliminate the USE_CCAPI variant of get_from_os() which was only used
in KfM. Make get_from_os() allocate its result (wrapping the Windows
implementation so it can continue to use a fixed-size buffer).
Simplify krb5_cc_set_default_name() and krb5_cc_default_name(). Make
some minor style adjustments.
|
| |
|
|
|
|
|
| |
Make the default_keytab_name and default_client_keytab_name variables
subject to parameter expansion.
ticket: 7219 (new)
|
| |
|
|
|
|
|
|
| |
Add an adapted version of Heimdal's expand_path.c, defining
k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These
functions allow template paths like %{TEMP}/krb5cc_%{uid} to be
resolved. Also add a test program to exercise the path expansion
code.
|
