krb5.git/src/lib/kdb, branch keyring MIT Kerberos patches Remove last uses of "possibly-insecure" mktemp(3) 2013-11-04T18:43:36+00:00 Ben Kaduk kaduk@mit.edu 2012-07-03T14:27:20+00:00 0415740bb569bad53b18f4483837e7e037f88544 Many libc implementations include notations to the linker to generate warnings upon references to mktemp(3), due to its potential for insecure operation. This has been the case for quite some time, as was noted in RT #6199. Our usage of the function has decreased with time, but has not yet disappeared entirely. This commit removes the last few instances from our tree. kprop's credentials never need to hit the disk, so a MEMORY ccache is sufficient (and does not need randomization). store_master_key_list is explicitly putting keys on disk so as to do an atomic rename of the stash file, but since the stash file should be in a root-only directory, we can just use a fixed name for the temporary file. When using this fixed name, we must detect (and error out) if the temporary file already exists; add a test to confirm that we do so. ticket: 1794 
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation.  This has been the case for quite some time,
as was noted in RT #6199.  Our usage of the function has decreased
with time, but has not yet disappeared entirely.  This commit
removes the last few instances from our tree.

kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file.  When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.

ticket: 1794
Clean up stash file error handling 2013-11-04T18:42:32+00:00 Ben Kaduk kaduk@mit.edu 2012-07-18T14:05:33+00:00 f7e434aa7ecb05a6ade5e3d4a435d25069acd5b2 The comment previously failed to match the behavior. The intent was that if we failed to write out the entire stash file into the temporary location, we should remove the partial file. However, the code was actually checking whether the *real* stash file existed, not whether the temporary one existed. It is safe to always try to unlink the partial file, and not worry about whether it already exists. 
The comment previously failed to match the behavior. The intent was
that if we failed to write out the entire stash file into the
temporary location, we should remove the partial file.  However, the
code was actually checking whether the *real* stash file existed,
not whether the temporary one existed.

It is safe to always try to unlink the partial file, and not worry
about whether it already exists.
Fix decoding of mkey kvno in mkey_aux tl-data 2013-10-29T16:39:21+00:00 Greg Hudson ghudson@mit.edu 2013-10-27T00:17:10+00:00 64ec2941af1561ef06e7e885b2ffb65a675516ce krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an int, resulting in the wrong value on big-endian platforms. The consequences are mostly invisible because we ignore this field and try all mkey_aux nodes in krb5_def_fetch_mkey_list. ticket: 7738 (new) target_version: 1.12 tags: pullup 
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms.  The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.

ticket: 7738 (new)
target_version: 1.12
tags: pullup
Reset key-generation parameters for each enctype 2013-10-25T18:15:12+00:00 Ben Kaduk kaduk@mit.edu 2013-10-25T18:00:29+00:00 381cf01afb13ad28de0927de37f8e1d12749bf49 In add_key_pwd, initialize s2k_params to NULL inside the loop over enctypes instead of outside the loop, so that if the afs3 salt type is used it does not contaminate later enctype/salt pairs in the list. ticket: 7733 tags: pullup target_version: 1.12 
In add_key_pwd, initialize s2k_params to NULL inside the loop over
enctypes instead of outside the loop, so that if the afs3 salt type
is used it does not contaminate later enctype/salt pairs in the list.

ticket: 7733
tags: pullup
target_version: 1.12
Correctly activate master keys in pre-1.7 KDBs 2013-10-25T15:36:12+00:00 Greg Hudson ghudson@mit.edu 2013-10-24T16:51:18+00:00 ec560fac83912abaa15fb158101c8174497081c5 Starting with 1.7, databases are created with actkvno tl-data in the K/M entry which gives the initial master key version an activation time of 0. A database created before 1.7 will not have this tl-data, but we should behave in the same way as we do for a more recent database. Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well as libkadm5. Synthesize the same list as we would have initialized the KDB with, with an activation time of 0 for the earliest master key. ticket: 7686 target_version: 1.12 tags: pullup 
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0.  A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.

Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5.  Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.

ticket: 7686
target_version: 1.12
tags: pullup
Reload master keys to find active mkey if needed 2013-10-25T15:36:11+00:00 Greg Hudson ghudson@mit.edu 2013-10-23T22:56:14+00:00 f9d6353922393936ab7125d1f04e577857909a99 Refactor krb5_dbe_find_act_mkey and make it reload the master key list if it doesn't find a master key matching the active mkvno. ticket: 7685 
Refactor krb5_dbe_find_act_mkey and make it reload the master key list
if it doesn't find a master key matching the active mkvno.

ticket: 7685
Avoid allocating zero key_data structures 2013-07-15T16:20:26+00:00 Greg Hudson ghudson@mit.edu 2013-07-15T16:20:26+00:00 d9457b501cbab535e5968dbdf195ca334b9fa555 When we allocate space for an array of key_data structures, make sure we allocate at least one, so we don't spuriously fail on platforms where malloc(0) returns NULL. Where we use malloc, use k5calloc instead. Where we use krb5_db_alloc or realloc, just allocate an extra entry. 
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL.  Where we use malloc, use k5calloc
instead.  Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
Fix various warnings 2013-06-07T19:19:37+00:00 Greg Hudson ghudson@mit.edu 2013-06-07T19:17:31+00:00 e51c089b745161dd6e1d64998e99d065fc22377e 






Reduce boilerplate in makefiles
2013-05-17T00:09:27+00:00

Greg Hudson
ghudson@mit.edu

2013-05-16T18:21:12+00:00

4b0985f8573840838bcfa8ec1df3dcd39a3dbf15

Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case.  Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS.  Make
sure to use DEFINES for local defines (not DEFS).  Remove some other
unnecessary makefile content.





Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case.  Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS.  Make
sure to use DEFINES for local defines (not DEFS).  Remove some other
unnecessary makefile content.







Assume mutex locking cannot fail
2013-05-14T17:31:41+00:00

Greg Hudson
ghudson@mit.edu

2013-05-10T18:01:48+00:00

6350fd0c909d84c00200885e722cc902049ada05

Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage.  A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.

Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites.  Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.





Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage.  A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.

Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites.  Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.