| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an extension that is needed to work around a bug in Micorsoft's
SPNEGO implementation when the mechanism used is NTLMSSP and a MIC is
produced internally by this mechanism when this is the preferred
mechanism for the client.
In such case Microsoft servers require a mechlistMIC to be produced even
if RFC 4178 (c) says it should be optional.
In order to avoid interoperability problems this function checks if a
MIC has been produced internally and if so set sc->mic_reqd to 1 forcing
us to emit a mechlistMIC.
This function is intentioannly called after every gss_init_sec_context()
although only the second call can actually return a meaningful answer. The
first call is used to signal to the mechanism that the SPNEGO layer does
support forcing a mechlistMIC so that the mechanism does not put a MIC in
the Authenticate message at all if forcing a mechlistMIC is not supported.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
| |
We have used awk scripts in preference to the C version of compile_et
since 1994 (r4426). Get rid of the sources for the C version and all
of the Makefile.in references to them.
|
| |
|
|
|
|
|
|
|
| |
A lot of KDC code was spent copying options to flags, and copying
header_ticket flags to the output ticket.
Behavior change: previous code didn't copy PROXY from the
header_ticket, but this seems to have been a minor bug rather than
intentional. This also seems to have been an omission from RFC 4120.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead. Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.
[ghudson@mit.edu: rewrite commit message]
ticket: 7902 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use a library initializer to prevent multiple threads using PKINIT
from concurently initializing OpenSSL functions. For cases where
MT-safety is not assured by registering OpenSSL locking callbacks,
this significantly lowers the odds of crashes caused by races in
OpenSSL initialization. (If OpenSSL initialization functions are
called by some other thread directly, crashes are still possible.)
[ghudson@mit.edu: simplify code changes and commit message]
ticket: 6413
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry. Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions. In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.
ticket: 7901 (new)
|
| |
|
|
|
|
| |
Treat POLLHUP without POLLIN or POLLOUT as an exception in the poll
version of cm_get_ssflags, to correctly handle TCP connection errors
on OS X.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since f72c3ffa the policy is initialized as part of database.
adb_policy_close is now a no-op, and adb_policy_init just makes sure
the database is initialized. adb_policy_init is only called from
kadm5_flush, and only if database initialization was successful
beforehand, rendering this call redundant.
Remove adb_policy_init and adb_policy_close and all their references
in the code and documentation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice. With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.
[ghudson@mit.edu: rewrote commit message]
ticket: 7897 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move get_curtime_ms and the cm functions near the top of the file
right after structure definitions. Except for cm_select_or_poll,
define each cm function separately for poll and for select, since the
implementations don't share much in common. Instead of
cm_unset_write, define cm_read and cm_write functions to put an fd in
read-only or write-only state. Remove the ssflags argument from
cm_add_fd and just expect the caller to make a subsequent call to
cm_read or cm_write. Always select for exceptions when using select.
(Polling for exceptions is implicit with poll).
With these changes, we no longer select/poll for reading on a TCP
connection until we are done writing to it. So in service_tcp_fd,
remove the check for unexpected read events.
|
| |
|
|
|
|
|
|
|
|
|
| |
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h. In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.
ticket: 7894 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The Solaris native compiler (as of version 5.9) outputs code for
static inline functions even if they are not used. So the
k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a
dependency on libkrb5support.
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the end of setup_gss(), gss_client_creds is released, but an alias
to the credential handle is saved in kadm5_server_handle_t in
handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred.
Accessing these credentials (by authgss_refresh) can result in use
after free.
This fix stores credential reference in server handle and releases
the credentials in kadm5_destroy.
[ghudson@mit.edu: initialize handle->cred to correct constant; get rid
of gss_client_creds variable; clarify commit message slightly]
ticket: 7891 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_salttype_to_string, output the salt type name we would
recognize as input.
In the output of getprinc, display the enctype and salt type in a form
we would accept--either enctype:salttype if the salt type is not the
default, or just the enctype if it is.
Update t_mkey.py and t_salt.py to expect the new output format.
Update documentation examples to show the new format.
ticket: 5958
|
| |
|
|
|
|
|
|
|
| |
In kadmin_local.rst, update the example to reflect the new way we
display enctypes after #5014.
ticket: 7890 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
--with-crypto=openssl is incorrect; it's --with-crypto-impl=openssl.
[ghudson@mit.edu: wrap source line at 70 columns; improve grammar of
the next sentence]
|
| |
|
|
|
|
|
| |
Use alloc_data() and empty_data() where appropriate. Keep mainline
logic to the left where possible. Name the output parameter of
krb5int_des_init_state with an _out suffix. Use a professional tone
in comments. Partly based on a patch from Alok Menghrajani.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Stop adding OIDs to the global OpenSSL table. It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL. Instead, use anonymous OIDs
created with OBJ_txt2oid. Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
| |
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data. This shadowing is very
unfriendly to other uses of OpenSSL and we should stop. Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
| |
The definition of SAFE_GETUINT16 mistakenly uses "p" instead its ptr
parameter in three places, which happens to work because all current
invocations of the macro use "p" as the ptr argument. Fix it to
correctly use the ptr parameter.
[ghudson@mit.edu: commit message]
ticket: 6845
|
| |
|
|
|
|
|
|
| |
When parsing port numbers, we previously attempted to conditionalize use
of strtoul() on whether or not it was available, falling back to atoi()
instead, but we did so in a way that would always fall back to using
atoi(). We also call strtoul() from elsewhere without that condition,
so we don't gain anything by trying to be careful about it here.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't check the address of the kpasswd server when parsing the reply
we received from it. If the server's address was modified by a proxy
or other network element, the user will be incorrectly warned that the
password change failed when it succeeded. The check is unnecessary as
the kpasswd protocol is not subject to a reflection attack.
[ghudson@mit.edu: edit commit message]
ticket: 7886 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Some applications write a profile file and then immediately use it via
a krb5_context. If we have a cached copy of the profile we wrote,
make sure to update it by forcing a stat when we reuse an existing
prf_data_t object.
[ghudson@mit.edu: commit message]
ticket: 7884
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson@mit.edu: avoid stuffing too much logic in one conditional]
ticket: 7883 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After searching for a cross-realm TGS entry to provide to a client as a
referral, if we're all set to return a success code but aren't actually
returning an entry, we should be returning an error. We might not do so
because we don't compare the right value against NULL.
This corrects an error in a redundant check in the patch for
CVE-2013-1417. The error in the check cannot occur in practice
because the other part of the patch for CVE-2013-1417 prevents it, but
static analyzers can flag the erroneous check.
[tlyu@mit.edu: edit commit message]
ticket: 7881 (new)
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory. Keep everything we temporarily allocate
in separate local variables and free them through those variables.
In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878. Free the checksum since pkinit_as_req_create no
longer takes ownership it. Remove a broken overly defensive check
after calling pkinit_as_req_create.
Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace util_ordering.c with a new file util_seqstate.c, implemented
using a bitmap of previously received sequence numbers instead of a
20-element circular queue. This approach has slightly different
limitations--it can check for replays for values within 64 of the
expected next number, where the old code could check within the range
of the last 20 received numbers regardless of how far apart they are.
The new approach should work as well or better for any realistic
packet reordering scenario.
ticket: 7879 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Use an opaque structure type instead of a void pointer for the
sequence number state. Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue. Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free. Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
|
| |
|
|
| |
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order. Properly
detect when a sequence number fits between the dummy element and the
first real queue element.
[ghudson@mit.edu: rewrote commit message]
ticket: 7872
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, per-request preauth module data is only cleared when we
successfully obtain initial credentials. Make sure to clear it at the
end of the operation even if we failed to get creds.
[ghudson@mit.edu: expanded commit message]
ticket: 7793
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In particular, it is set by default. This can lead to confusing
behavior wherein adding a k5login file removes a user's remote
access.
Make an example more concrete to account for this case.
ticket: 7876 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When copying most of the credentials from one cache to another in
copy_creds_except (called from get_vfy_cred, from
krb5_verify_init_creds), we need to free all of the credentials that
we read, not just the ones we copied.
[ghudson@mit.edu: edited commit message]
ticket: 7875 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we get an KRB5_KDC_UNREACH error back from k5_sendto, we check if
the err variable we passed for use by our message handler has been set
to KDC_ERR_SVC_UNAVAILABLE. If k5_sendto doesn't receive any
response, though, the handler isn't called, so we're reading an
uninitialized variable. Initialize it to a value other than
KDC_ERR_SVC_UNAVAILABLE to be sure.
[ghudson@mit.edu: initialize err just before calling k5_sendto; edit
commit message]
ticket: 7874 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
When we removed the maximum number of ulog entries (#7368), we did not
update the documentation for that parameter in kdc.conf. Reported by
Richard Basch.
ticket: 7849
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Don't delete gssapi_krb5.h now that it is not generated.
[ghudson@mit.edu: also remove from generate-files-mac rule and from
.gitignore]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.
Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting
faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.
ticket: 6034
|
| |
|
|
| |
ticket: 7868
|
| |
|
|
|
|
|
|
|
|
|
| |
If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.
ticket: 7868
|
| |
|
|
|
|
| |
ticket: 7866
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The LDAP debug level option (#7551) causes a build failure with the
Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL.
ticket: 7870 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
| |
Revert r16428 now that gssapi_krb5.h is in the source tree.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove obsolete parenthetical statement in the description of the
"-update" switch to "kdb5_util load". Using the "-update" flag to
load a second dump made using the "-ov" switch is no longer necessary
now that the "-r13" format is the default. Add statement that the
"-b7" dump format was the default for versions prior to 1.2.2 (to
match the statement from "dump" section).
[tlyu@mit.edu: commit message]
ticket: 7865
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
| |
References to krb5_int16.rst and krb5_ui_2.rst were missing, but
recently began causing sphinx-build errors because Doxygen started
generating them after the stdint.h changes.
|
| |
|
|
|
|
|
|
| |
Since we no longer prefix an "#include <stdint.h>" in the gssapi.h
preamble at build time, include it in gssapi.hin.
Update util/gss/kernel-lib/Makefile.in to account for gssapi_krb5.h
being in the source tree.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert #7384, as there are no longer policy refcounts. For iprop
dumps we want to make sure that the reported serial number matches the
DB state (although we could perhaps relax that requirement with enough
analysis), but for non-iprop dumps we don't need any transactional
guarantees.
Also use the correct constant name for the locking mode (the numeric
value is the same, fortunately), and only unlock the database if we
successfully locked it.
ticket: 7869 (new)
|
| |
|
|
|
| |
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
|
| |
|
|
|
|
|
| |
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts. Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
|
