krb5.git/src/lib/gssapi, branch kinit-c MIT Kerberos patches Stop using KRB5_TC_OPENCLOSE 2014-11-03T16:40:38+00:00 Greg Hudson ghudson@mit.edu 2014-10-06T14:05:41+00:00 ec3a2e9ea2d4fdb2e00fc7b2a6bfed7feac10880 Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when we iterate over ccaches. ticket: 7804 
Since KRB5_TC_OPENCLOSE no longer does anything, stop setting it when
we iterate over ccaches.

ticket: 7804
Use gssalloc_malloc for GSS error tokens 2014-10-09T15:35:51+00:00 Greg Hudson ghudson@mit.edu 2014-10-08T00:22:52+00:00 68cfc8b4e6338b78dce5a960ce47974a73906fac In kg_accept_krb5, use gssalloc_malloc when allocating space for the error token, since it will be freed with gssalloc_free. Using malloc can cause heap corruption on Windows. This bug was masked by #1445 before 1.12. ticket: 8024 (new) target_version: 1.13.1 tags: pullup 
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free.  Using malloc
can cause heap corruption on Windows.  This bug was masked by #1445
before 1.12.

ticket: 8024 (new)
target_version: 1.13.1
tags: pullup
Fix krb5 gss_acquire_cred_impersonate_name crash 2014-09-19T20:32:56+00:00 Greg Hudson ghudson@mit.edu 2014-09-19T15:35:10+00:00 17689700b27c6fb6d26156330d11b57ef79385d3 If gss_acquire_cred_impersonate_name is called using an impersonator_cred_handle acquired with GSS_C_ACCEPT, we could dereference null fields of the cred handle and crash. Fix this by checking the impersonator_cred_handle usage and returning GSS_S_NO_CRED if it isn't what we expect, just as we do in init_sec_context. Based on a patch from Solly Ross <sross@redhat.com>. ticket: 8017 (new) target_version: 1.13 tags: pullup 
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash.  Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.

Based on a patch from Solly Ross <sross@redhat.com>.

ticket: 8017 (new)
target_version: 1.13
tags: pullup
Let libgssapi see TGTs in the MSLSA cache 2014-09-09T19:01:13+00:00 Ben Kaduk kaduk@mit.edu 2014-08-21T22:56:24+00:00 0794746f8d8e6b8ce3748d442d2bc1faecf960ce When the current user is a local administrator of a windows machine where User Account Control (UAC) is enabled, the Windows LSA will return a block of zeros as the session key for any TGT entry in the MSLSA: cache. The lcc_retrieve() implementation checks for such "null" session keys and prevents them from escaping to callers (as attempts to use them would encounger strange errors). However, when the TGT is the only entry in the cache, this filtering prevents scan_ccache() from detecting that the cache contains non-expired credentials (and that there is a TGT present). Since scan_ccache() is only looking at metadata in the cache entries, and does not need to actually use any tickets or session keys, set the KRB5_TC_NOTICKET flag on the ccache before scanning it. This will allow the MSLSA implementation to return a cred for the TGT entry and cause the GSSAPI credential selection algorithm to function properly. ticket: 8000 (new) tags: pullup target_version: 1.12.3 subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled 
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache.  The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors).  However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).

Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it.  This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.

ticket: 8000 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll fails to detect TGTs in the MSLSA cache when UAC is enabled
Try to scan_ccache() after leash picks a cache 2014-09-09T19:01:12+00:00 Ben Kaduk kaduk@mit.edu 2014-08-21T16:48:39+00:00 674f7d7abe2d4f8bc3fe791e4347a332e3ccfd41 We need to call scan_ccache() in order to notice that there are credentials and read their expire time. The call to scan_ccache() in the Leash case was inadvertently removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd. ticket: 7998 (new) tags: pullup target_version: 1.12.3 subject: gssapi.dll tries to get initial creds even when some are present 
We need to call scan_ccache() in order to notice that there
are credentials and read their expire time.

The call to scan_ccache() in the Leash case was inadvertently
removed as part of commit 8651f3339ccc5a623172a8edfb9cf522883acacd.

ticket: 7998 (new)
tags: pullup
target_version: 1.12.3
subject: gssapi.dll tries to get initial creds even when some are present
Allow SPNEGO fallback to NTLM without mechlistMIC 2014-08-09T17:25:09+00:00 Greg Hudson ghudson@mit.edu 2014-08-08T17:32:51+00:00 7208dace8bfbdf5b930e26a19c8ff31c13ea1ef3 For interoperability with Windows Server 2003 and earlier, loosen the initiator's enforcement of RFC 4178's mechlistMIC requirement when falling back to NTLMSSP. [ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP OID] ticket: 7975 target_version: 1.13 tags: pullup 
For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.

[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]

ticket: 7975
target_version: 1.13
tags: pullup
Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result 2014-08-09T16:31:32+00:00 Greg Hudson ghudson@mit.edu 2014-08-08T20:50:38+00:00 d899084e24555dc8fd091eb08187ca2a45a08324 The krb5 gss_accept_sec_context could erroneously return GSS_C_DELEG_FLAG in ret_flags if either: * The token included the GSS_C_DELEG_FLAG but did not include at least 28 bytes in the authenticator checksum. * The initial token included the GSS_C_DELEG_FLAG but a DCE-style exchange was performed. Fix both of these cases. ticket: 7987 (new) target_version: 1.13 tags: pullup 
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:

* The token included the GSS_C_DELEG_FLAG but did not include at least
  28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
  exchange was performed.

Fix both of these cases.

ticket: 7987 (new)
target_version: 1.13
tags: pullup
Fix glob memory leak in GSS initialization 2014-08-07T19:03:29+00:00 Greg Hudson ghudson@mit.edu 2014-08-05T03:34:32+00:00 20f91672568b1d2e341a9bb0dba88a831f152f1c In loadConfigFiles, call globfree even if glob fails, since glob can allocate memory and report partial results on failure. Also initialize globbuf before calling glob; this is not strictly required, but hedges against hypothetical libc implementation bugs which could leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error. ticket: 7981 
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure.  Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.

ticket: 7981
Fix the build on windows 2014-08-06T16:18:15+00:00 Ben Kaduk kaduk@mit.edu 2014-08-05T15:11:45+00:00 58312ae8beb0499ac3a06196164eb833e9f8975e Windows does not provide the glob() functionality used to implement the /etc/gss/mechs.d/ feature, so we must avoid compiling the relevant code for windows. (It would never have been called, anyway.) Adjust the ccache/Makefile.in rules to not use '-' or '@' in make variable names that are processed by nmake. Also in ccache/Makefile.in, remove some latent leading whitespace that had been previously hidden by the previous rule; this exposed some flawed dependencies that are now removed. Windows does not provide sys/socket.h or sys/un.h, so don't try to include them in cc_kcm.c. The commit which moved the KKDCP TLS support to a plugin left some dangling references to checkhost.c byproducts in os/Makefile.in, which can be safely removed. Use k5-platform.h in support/json.c instead of a set of system includes; this lets windows build the static inline helper functions therein. 
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows.  (It would never have been called, anyway.)

Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.

Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.

Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.

The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.

Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
Modify k5buf interfaces for easier use 2014-07-30T16:11:38+00:00 Greg Hudson ghudson@mit.edu 2014-07-02T16:03:54+00:00 651f3af251d172361a954f55f2d87561ae42c2d0 Make struct k5buf less opaque and get rid of k5buf-int.h. Make it easy to initialize a k5buf in an error state so that it can be freed in a cleanup handler. Add a function k5_buf_status which returns 0 or ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to k5_buf_free. Adjust all callers to match. 
Make struct k5buf less opaque and get rid of k5buf-int.h.  Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler.  Add a function k5_buf_status which returns 0 or
ENOMEM.  Remove k5_buf_data and k5_buf_len.  Rename k5_free_buf to
k5_buf_free.  Adjust all callers to match.