krb5.git, branch spnego MIT Kerberos patches Add way to check if mechlistMIC must be produced 2014-05-06T17:57:27+00:00 Simo Sorce simo@redhat.com 2014-05-05T21:59:08+00:00 da549274458a61e0e0cda20d64b46095d535c5da This is an extension that is needed to work around a bug in Micorsoft's SPNEGO implementation when the mechanism used is NTLMSSP and a MIC is produced internally by this mechanism when this is the preferred mechanism for the client. In such case Microsoft servers require a mechlistMIC to be produced even if RFC 4178 (c) says it should be optional. In order to avoid interoperability problems this function checks if a MIC has been produced internally and if so set sc->mic_reqd to 1 forcing us to emit a mechlistMIC. This function is intentioannly called after every gss_init_sec_context() although only the second call can actually return a meaningful answer. The first call is used to signal to the mechanism that the SPNEGO layer does support forcing a mechlistMIC so that the mechanism does not put a MIC in the Authenticate message at all if forcing a mechlistMIC is not supported. Signed-off-by: Simo Sorce <simo@redhat.com> 
This is an extension that is needed to work around a bug in Micorsoft's
SPNEGO implementation when the mechanism used is NTLMSSP and a MIC is
produced internally by this mechanism when this is the preferred
mechanism for the client.

In such case Microsoft servers require a mechlistMIC to be produced even
if RFC 4178 (c) says it should be optional.
In order to avoid interoperability problems this function checks if a
MIC has been produced internally and if so set sc->mic_reqd to 1 forcing
us to emit a mechlistMIC.

This function is intentioannly called after every gss_init_sec_context()
although only the second call can actually return a meaningful answer. The
first call is used to signal to the mechanism that the SPNEGO layer does
support forcing a mechlistMIC so that the mechanism does not put a MIC in
the Authenticate message at all if forcing a mechlistMIC is not supported.

Signed-off-by: Simo Sorce <simo@redhat.com>
Remove compile_et.c 2014-04-30T22:10:17+00:00 Greg Hudson ghudson@mit.edu 2014-04-29T15:03:03+00:00 939bb6c500aba6359f80bd27ba6269c23168fc16 We have used awk scripts in preference to the C version of compile_et since 1994 (r4426). Get rid of the sources for the C version and all of the Makefile.in references to them. 
We have used awk scripts in preference to the C version of compile_et
since 1994 (r4426).  Get rid of the sources for the C version and all
of the Makefile.in references to them.
Refactor KDC option/flag processing 2014-04-28T20:30:37+00:00 Tom Yu tlyu@mit.edu 2014-04-24T21:10:58+00:00 4d08c9abfee0b5978d9db2280c10c85b3bf2ae11 A lot of KDC code was spent copying options to flags, and copying header_ticket flags to the output ticket. Behavior change: previous code didn't copy PROXY from the header_ticket, but this seems to have been a minor bug rather than intentional. This also seems to have been an omission from RFC 4120. 
A lot of KDC code was spent copying options to flags, and copying
header_ticket flags to the output ticket.

Behavior change: previous code didn't copy PROXY from the
header_ticket, but this seems to have been a minor bug rather than
intentional.  This also seems to have been an omission from RFC 4120.
Check for asprintf failure in kdb5_util create 2014-04-15T17:35:49+00:00 Tomas Kuthan tkuthan@gmail.com 2014-04-10T13:16:06+00:00 f5645d30cf83398640c386a612eb6f07c543286f In add_admin_princ, remove build_name_with_realm and call asprintf directly instead. Check for asprintf failure to avoid passing an undefined pointer to krb5_parse_name. [ghudson@mit.edu: rewrite commit message] ticket: 7902 (new) target_version: 1.12.2 tags: pullup 
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead.  Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.

[ghudson@mit.edu: rewrite commit message]

ticket: 7902 (new)
target_version: 1.12.2
tags: pullup
In PKINIT, use library initializer for OpenSSL 2014-04-15T16:21:13+00:00 Tomas Kuthan tkuthan@gmail.com 2014-04-11T13:36:53+00:00 d49e9f0e14adb24e6fe129080c54a0571a39611b Use a library initializer to prevent multiple threads using PKINIT from concurently initializing OpenSSL functions. For cases where MT-safety is not assured by registering OpenSSL locking callbacks, this significantly lowers the odds of crashes caused by races in OpenSSL initialization. (If OpenSSL initialization functions are called by some other thread directly, crashes are still possible.) [ghudson@mit.edu: simplify code changes and commit message] ticket: 6413 
Use a library initializer to prevent multiple threads using PKINIT
from concurently initializing OpenSSL functions.  For cases where
MT-safety is not assured by registering OpenSSL locking callbacks,
this significantly lowers the odds of crashes caused by races in
OpenSSL initialization.  (If OpenSSL initialization functions are
called by some other thread directly, crashes are still possible.)

[ghudson@mit.edu: simplify code changes and commit message]

ticket: 6413
Update sample configs to include master_kdc 2014-04-15T15:55:21+00:00 Greg Hudson ghudson@mit.edu 2014-04-08T18:07:30+00:00 3b72cefb1bbf231192a2b92c31f2c91217f7d58c Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files which define kdc entries, also define a master_kdc entry. Remove default_domain and v4_instance_convert entries in examples as they are only needed for krb5/krb4 principal conversions. In the krb5_conf.rst example, remove enctype specifications as we don't want to encourage their use when they aren't necessary, and remove a redundant domain_realm entry. ticket: 7901 (new) 
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry.  Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions.  In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.

ticket: 7901 (new)
Fix sendto_kdc.c on OS X after cm refactoring 2014-04-05T21:50:08+00:00 Greg Hudson ghudson@mit.edu 2014-04-04T18:58:33+00:00 82aa5f56acee4d63800a1a69794a2d7bc4f104fc Treat POLLHUP without POLLIN or POLLOUT as an exception in the poll version of cm_get_ssflags, to correctly handle TCP connection errors on OS X. 
Treat POLLHUP without POLLIN or POLLOUT as an exception in the poll
version of cm_get_ssflags, to correctly handle TCP connection errors
on OS X.
Remove adb_policy_init and adb_policy_close 2014-04-04T18:02:47+00:00 Tomas Kuthan tkuthan@gmail.com 2014-04-03T15:58:43+00:00 8d735931e2a93fab31d68772e8881faa6b030a10 Since f72c3ffa the policy is initialized as part of database. adb_policy_close is now a no-op, and adb_policy_init just makes sure the database is initialized. adb_policy_init is only called from kadm5_flush, and only if database initialization was successful beforehand, rendering this call redundant. Remove adb_policy_init and adb_policy_close and all their references in the code and documentation. 
Since f72c3ffa the policy is initialized as part of database.
adb_policy_close is now a no-op, and adb_policy_init just makes sure
the database is initialized.  adb_policy_init is only called from
kadm5_flush, and only if database initialization was successful
beforehand, rendering this call redundant.

Remove adb_policy_init and adb_policy_close and all their references
in the code and documentation.
Fix leak in kadm5_flush with LDAP KDB 2014-04-04T17:59:36+00:00 Tomas Kuthan tkuthan@gmail.com 2014-04-02T15:48:04+00:00 372e4cb6f5d4a603e6e3157c7b5d354953836136 Due to an inverted test in adb_policy_init, kadm5_flush calls krb5_db_open twice. With the DB2 KDB module, the second open is a no-op, but with the LDAP module, a new DB handle is allocated and the old one is leaked. [ghudson@mit.edu: rewrote commit message] ticket: 7897 (new) target_version: 1.12.2 tags: pullup 
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice.  With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.

[ghudson@mit.edu: rewrote commit message]

ticket: 7897 (new)
target_version: 1.12.2
tags: pullup
Refactor cm functions in sendto_kdc.c 2014-04-03T01:30:45+00:00 Greg Hudson ghudson@mit.edu 2014-03-26T17:21:45+00:00 346883c48f1b9e09b1af2cf73e3b96ee8f934072 Move get_curtime_ms and the cm functions near the top of the file right after structure definitions. Except for cm_select_or_poll, define each cm function separately for poll and for select, since the implementations don't share much in common. Instead of cm_unset_write, define cm_read and cm_write functions to put an fd in read-only or write-only state. Remove the ssflags argument from cm_add_fd and just expect the caller to make a subsequent call to cm_read or cm_write. Always select for exceptions when using select. (Polling for exceptions is implicit with poll). With these changes, we no longer select/poll for reading on a TCP connection until we are done writing to it. So in service_tcp_fd, remove the check for unexpected read events. 
Move get_curtime_ms and the cm functions near the top of the file
right after structure definitions.  Except for cm_select_or_poll,
define each cm function separately for poll and for select, since the
implementations don't share much in common.  Instead of
cm_unset_write, define cm_read and cm_write functions to put an fd in
read-only or write-only state.  Remove the ssflags argument from
cm_add_fd and just expect the caller to make a subsequent call to
cm_read or cm_write.  Always select for exceptions when using select.
(Polling for exceptions is implicit with poll).

With these changes, we no longer select/poll for reading on a TCP
connection until we are done writing to it.  So in service_tcp_fd,
remove the check for unexpected read events.