krb5.git/src/lib/gssapi, branch gss_cs MIT Kerberos patches Add way to specify rcache when acquiring creds 2014-01-14T20:11:54+00:00 Simo Sorce simo@redhat.com 2013-12-27T00:05:34+00:00 5d3c7091d401b0a562131dee8fa210d416b441df The "rcache" URN can specify a cache type and name to be used with the credentials being acquired. Signed-off-by: Simo Sorce <simo@redhat.com> 
The "rcache" URN can specify a cache type and name to be used with
the credentials being acquired.

Signed-off-by: Simo Sorce <simo@redhat.com>
Let SPNEGO display mechanism errors 2013-12-18T20:58:55+00:00 Simo Sorce simo@redhat.com 2013-12-17T21:15:14+00:00 d160bc733a3dbeb6d84f4e175234ff18738d9f66 To avoid potential recursion we use a thread local variable that tells us whether the ancestor was called via spnego_gss_display_name(). If we detect recursion, we assume that we returned a com_err code like ENOMEM and call error_message(); in the worst case that will result in an "Unknown error" message. [ghudson@mit.edu: Edited comments and commit message; removed an unneeded line of code.] ticket: 7045 target_version: 1.12.1 tags: pullup 
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name().  If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.

[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]

ticket: 7045
target_version: 1.12.1
tags: pullup
Fix GSS krb5 acceptor acquire_cred error handling 2013-12-16T20:40:51+00:00 Greg Hudson ghudson@mit.edu 2013-12-16T20:37:56+00:00 decccbcb5075f8fbc28a535a9b337afc84a15dee When acquiring acceptor creds with a specified name, if we fail to open a replay cache, we leak the keytab handle. If there is no specified name and we discover that there is no content in the keytab, we leak the keytab handle and return the wrong major code. Memory leak reported by Andrea Campi. ticket: 7805 target_version: 1.12.1 tags: pullup 
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle.  If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code.  Memory
leak reported by Andrea Campi.

ticket: 7805
target_version: 1.12.1
tags: pullup
Fix memory leak in SPNEGO initiator 2013-12-16T16:39:41+00:00 Simo Sorce simo@redhat.com 2013-12-13T17:00:41+00:00 1cda48a7ed4069cfc052f974ec3d76a9137c8c5a If we eliminate a mechanism from the initiator list because gss_init_sec_context fails, free the memory for that mech OID before removing it from the list. [ghudson@mit.edu: clarified commit message] ticket: 7803 (new) target_version: 1.12.1 tags: pullup 
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.

[ghudson@mit.edu: clarified commit message]

ticket: 7803 (new)
target_version: 1.12.1
tags: pullup
Remove unneeded check in SPNEGO initiator 2013-12-16T16:35:52+00:00 Greg Hudson ghudson@mit.edu 2013-12-16T16:35:42+00:00 1249c75810e3d5c33ba723c65a904ee914ca8048 In init_ctx_cont, if the response token contains no fields, we set a return value but don't actually quit out of the function. We do not need this check (we will fail later on if a piece of required information isn't present), so just remove it. Reported by simo@redhat.com. 
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function.  We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it.  Reported by
simo@redhat.com.
Fix SPNEGO one-hop interop against old IIS 2013-12-12T15:51:34+00:00 Greg Hudson ghudson@mit.edu 2013-12-10T17:04:18+00:00 37af638b742dbd642eb70092e4f7781c3f69d86d IIS 6.0 and similar return a zero length reponse buffer in the last SPNEGO packet when context initiation is performed without mutual authentication. In this case the underlying Kerberos mechanism has already completed successfully on the first invocation, and SPNEGO does not expect a mech response token in the answer. If we get an empty mech response token when the mech is complete during negotiation, ignore it. [ghudson@mit.edu: small code style and commit message changes] ticket: 7797 (new) target_version: 1.12.1 tags: pullup 
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication.  In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer.  If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.

[ghudson@mit.edu: small code style and commit message changes]

ticket: 7797 (new)
target_version: 1.12.1
tags: pullup
Avoid malloc(0) in SPNEGO get_input_token 2013-12-07T02:06:26+00:00 Greg Hudson ghudson@mit.edu 2013-12-06T23:56:56+00:00 13fd26e1863c79f616653f6a10a58c01f65fceff If we read a zero-length token in spnego_mech.c's get_input_token(), set the value pointer to NULL instead of calling malloc(0). ticket: 7794 (new) 
If we read a zero-length token in spnego_mech.c's get_input_token(),
set the value pointer to NULL instead of calling malloc(0).

ticket: 7794 (new)
Clean up the code to eliminate some clang warnings 2013-11-04T18:51:17+00:00 Ben Kaduk kaduk@mit.edu 2013-10-30T18:51:12+00:00 3a8eaa43045fb242739ad9729bb66f915be209b9 In ure.c, though k is a short, the literal 1 is of type 'int', and so the operation 'k + 1' is performed at the (32-bit) width of int, and therefore the "%d" format string is correct. In accept_sec_context.c, the 'length' field of krb5_data is an unsigned type, so checking for a negative value has no effect. In net-server.c, the helper routine rtm_type_name() is only used in code that is disabled with #if 0 conditionals; make the definition also disabled in the same way to avoid warnings of an unused function. In kdc_authdata.c, equality checks in double parentheses elicit a warning from clang. The double-parentheses idiom is normally used to indicate that an assignment is being performed, but the value of the assignment is also to be used as the value for the conditional. Since assignment and equality checking differ only by a single character, clang considers this worthy of a warning. Since the extra set of parentheses is redundant and against style, it is correct to remove them. In several places (sim_server.c, dump.c, kdb5_destroy.c, ovsec_kadmd.c), there are declarations of extern variables relating to getopt() functionality that are now unused in the code. Remove these unused variables. 
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.

In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.

In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.

In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang.  The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning.  Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.

In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code.  Remove
these unused variables.
Fix gss_accept_sec_context error tokens 2013-10-15T03:52:52+00:00 Greg Hudson ghudson@mit.edu 2013-10-08T21:07:34+00:00 c547bc16f2ab6ee66c076ef944c3fbac8a66f5d4 A GSS krb5 error response contains a KRB-ERROR message, which is required to have a server principal name, although few recipients actually use it. Starting in 1.3, accept_sec_context would fail to encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case (introduced by #1370) because cred->princ (which became cred->name->princ in 1.8) is unset. This problem got worse in 1.10 because we stopped setting the server field in all cases due to the changes for #6855. In 1.11 the problem got worse again when a misguided change to the mechglue started discarding output tokens when the mechanism returns an error; the mechglue should only do so when it itself causes the error. Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ and using krb5_rd_req_decoded, and then using the requested ticket server in the KRB-ERROR message. Fix the mechglue gss_accept_sec_context by reverting that part of commit 56feee187579905c9101b0cdbdd8c6a850adcfc9. Add a test program which artificially induces a replay cache failure (the easiest failure we can produce which has an associated RFC 4120 error code) and checks that this can be communicated back to the initiator via an error token. ticket: 1445 target_version: 1.12 tags: pullup 
A GSS krb5 error response contains a KRB-ERROR message, which is
required to have a server principal name, although few recipients
actually use it.  Starting in 1.3, accept_sec_context would fail to
encode the error in the GSS_C_NO_NAME/GSS_C_NO_CREDENTIAL case
(introduced by #1370) because cred->princ (which became
cred->name->princ in 1.8) is unset.

This problem got worse in 1.10 because we stopped setting the server
field in all cases due to the changes for #6855.  In 1.11 the problem
got worse again when a misguided change to the mechglue started
discarding output tokens when the mechanism returns an error; the
mechglue should only do so when it itself causes the error.

Fix krb5 gss_accept_sec_context by unconditionally decoding the AP-REQ
and using krb5_rd_req_decoded, and then using the requested ticket
server in the KRB-ERROR message.  Fix the mechglue
gss_accept_sec_context by reverting that part of commit
56feee187579905c9101b0cdbdd8c6a850adcfc9.  Add a test program which
artificially induces a replay cache failure (the easiest failure we
can produce which has an associated RFC 4120 error code) and checks
that this can be communicated back to the initiator via an error
token.

ticket: 1445
target_version: 1.12
tags: pullup
Fix GSSAPI krb5 cred ccache import 2013-10-15T03:32:05+00:00 Greg Hudson ghudson@mit.edu 2013-10-07T13:51:56+00:00 48dd01f29b893a958a64dcf6eb0b734e8463425b json_to_ccache was incorrectly indexing the JSON array when restoring a memory ccache. Fix it. Add test coverage for a multi-cred ccache by exporting/importing the synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move export_import_cred from t_export_cred.c to common.c to facilitate this. Make a note in t_export_cred.py that this case is covered in t_s4u.py. ticket: 7706 target_version: 1.11.4 
json_to_ccache was incorrectly indexing the JSON array when restoring
a memory ccache.  Fix it.

Add test coverage for a multi-cred ccache by exporting/importing the
synthesized S4U2Proxy delegated cred in t_s4u2proxy_krb5.c; move
export_import_cred from t_export_cred.c to common.c to facilitate
this.  Make a note in t_export_cred.py that this case is covered in
t_s4u.py.

ticket: 7706
target_version: 1.11.4