| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
In some cases, on error errinfo->err may hold an alocated error message.
Free it on an error condition.
Signed-off-by: Simo Sorce <simo@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
glibc does not declare a number of common, useful extensions such as
asprintf unless _GNU_SOURCE is defined. Define it early in the
configure process so that it is available for autoconf tests.
Defining _GNU_SOURCE unfortunately causes glibc to use the non-POSIX
version of strerror_r, which we now handle using the k5-platform.h
wrapper.
ticket: 7961
|
|
|
|
|
|
|
|
|
| |
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
ticket: 7961
|
|
|
|
|
|
|
|
| |
Take advantage of the strerror_r portability wrapper to simplify code
using it. Remove unused macros related to strerror_r in
ldap_service_stash.c and plugins.c.
ticket: 7961
|
|
|
|
|
|
|
|
| |
On systems where strerror_r is not the POSIX version, define it to
k5_strerror_r. Implement k5_strerror_r in libkrb5support using
strerror_s, strerror, or the GNU strerror_r as appropriate.
ticket: 7961
|
|
|
|
|
|
|
|
|
|
|
|
| |
Remove code to set or reference the length fields of socket addresses
(sa_len/sin_len/sin6_len), since they aren't portable and setting them
is not required. Remove autoconf tests for those fields which are no
longer used or which were never used.
There is one exception: in localaddr.c, we still neeed to reference
sa_len for the definition of ifreq_size on platforms which have
sa_len. Leave that behind, along with the autoconf test which defines
SA_LEN.
|
|
|
|
|
|
|
| |
In socket-utils.h, replace the socklen macro with an inline function
sa_socklen which always uses the address family, even on platforms
with the sa_len sockaddr field. This removes the need to set sa_len
in socket addresses we construct.
|
|
|
|
|
|
|
|
|
| |
In setup_udp_port_1, remove the haddrbuf parameter and use paddr like
we already do for one of the log messages. In setup_udp_port, remove
the long switch statement and just look for AF_INET/AF_INET6
addresses. Split up udp_flags into two booleans for clarity. Update
the comment in loop_setup_network since we did the "To do" item a long
time ago.
|
|
|
|
|
|
|
|
|
|
|
|
| |
For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API
Only attempt to define behavior for these cases if they are defined.
ticket: 7955 (new)
tags: pullup
target_version: 1.12.2
|
|
|
|
|
|
|
|
|
|
|
| |
In svctcp_create() and svcudp_bufcreate(), set sa->sa_len on platforms
where that field exists, so that a subsequent call to socklen() will
return the correct result.
To make the code more self-evidently correct, zero the entire struct
sockaddr_storage object, using the memset(&ss, 0, sizeof(ss)) idiom.
ticket: 7935
|
|
|
|
|
|
|
|
|
|
| |
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
ticket: 7954 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
| |
If krb5_get_tgs_ktypes fails (due to an out-of-memory condition or an
error re-reading the profile), k5_make_tgs_req will dereference a null
pointer. Check the return value before dereferencing defenctypes.
[ghudson@mit.edu: clarified commit message]
ticket: 7952 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make clnttcp_create, clntudp_bufcreate, svctcp_create, and
svcudp_bufcreate work with unbound IPv6 sockets using bindresvport_sa
and other socket helpers. For caller-supplied sockets, call
getsockname to determine the address family we should attempt to bind.
[ghudson@mit.edu: clarified commit message, minimized code changes,
used socket-utils.h helpers, fixed fallback find on bindresvport
failure, restored getsockaddr call to get port after binding]
ticket: 7935
|
|
|
|
|
|
|
|
|
|
|
|
| |
This functions allows you to pass IPv4 and IPv6 addresses. If no
address is given, t will determine the family by checking the socket
with getsockname.
[ghudson@mit.edu: clarified commit message, split out setport helper,
squashed with next commit, minimized code changes from old
bindresvport, used socket-utils.h helpers]
ticket: 7935 (new)
|
|
|
|
|
|
| |
Use sa_setport and sa_getport in place of existing static helpers or
open-coded switch statements in net-server.c, fake-addrinfo.c, and
svc_tcp.c.
|
|
|
|
|
| |
Add sa_setport, sa_getport, and sa_is_inet helpers for conveniently
manipulating port numbers on IPv4 and IPv6 socket addresses.
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.
ticket: 7945
target_version: 1.12.2
tags: pullup
|
|
|
|
| |
ticket: 7949
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
CVE-2014-4342:
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C
[tlyu@mit.edu: CVE summaries, CVSS]
ticket: 7949 (new)
subject: Handle invalid RFC 1964 tokens [CVE-2014-4341 CVE-2014-4342]
taget_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On platforms which support RTLD_NODELETE, use it to load plugin
modules. While using this flag makes plugins stay in the process map
after libkrb5/libgssapi_krb5 are unloaded, it solves several problems:
1. It prevents plugin modules which link against OpenSSL (PKINIT and
k5tls) from repeatedly initializing instances of libssl or libcrypto,
leaking heap memory each time. This is only an issue because we
cannot safely uninitialize OpenSSL.
2. It prevents finalization ordering issues from causing a process
crash when unloading libgssapi_krb5 (issue #7135).
3. It makes memory leak tracing with valgrind easier.
ticket: 7947 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail. Remove that logic.
Based on a patch from Jatin Nansi.
ticket: 7948 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup. Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error. Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error. Eliminate the retval variable as it was not used
safely. Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).
ticket: 7943 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
| |
Document DB options in the kadmin/kadmin.local man page, in their own
section. Refer to that section from the documentation of the -x
parameter of each other command which supports DB options. Add
documentation for the "dbname" DB2 option.
ticket: 7946 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
| |
Fix three mismatched constant names, and properly alphabetize and
columnize the lists of definitions. No functional changes.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make the example and documentation a closer match to reality.
In particular, the list permission is all-or-nothing; it is not
restricted in scope by the target_principal field. Change the
table entry to try and indicate this fact, and do not put list
permissions on any example line that is scoped by a target_principal
pattern.
While here, remove the nonsensical granting of global inquire
permissions to */* (inaccurately described as "all principals"),
and the granting of privileges to foreign-realm principals.
It is not possible to obtain an initial ticket (as required by
the kadmin service) for a principal in a different realm, and
the current kadmind implementation can serve only a single realm
at a time -- this permission literally has no effect. Replace
it with a (presumably automated) "Service Management System"
example, where it might make sense to limit the principals which
are automatically created.
ticket: 7939
|
|
|
|
|
|
|
|
|
|
|
|
| |
When constructing a draft9 PKINIT request, always include
KRB5_PADATA_AS_CHECKSUM padata to ask for an RFC 4556 ReplyKeyPack.
Do not accept a draft9 ReplyKeyPack in the KDC response.
For now, retain the krb5_reply_key_pack_draft9 ASN.1 codec and the KDC
support for generating a draft9 ReplyKeyPack when a draft9 PKINIT
request does not contain KRB5_PADATA_AS_CHECKSUM.
ticket: 7933
|
|
|
|
|
|
|
|
| |
Remove the PKINIT Windows Server 2008 beta compatibility code
conditionalized under the "longhorn" variable. It is not required to
interoperate with any released version of Windows.
ticket: 7934 (new)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Describe how to use a commercially-issued server certificate for
anonymous PKINIT. Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).
ticket: 7931 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of the address union. Store the result of get_cert_cn in a
signed variable so we can meaningfully check for negative results.
Make get_cert_cn return int for consistency with
X509_NAME_get_text_by_NID and its two callers.
Also add an emacs mode line to the top of the file.
ticket: 7929
|
|
|
|
|
|
|
|
|
| |
This variable was never used in the PKINIT code as it was contributed;
there was only code to read its value.
ticket: 7932 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
| |
As contributed, the PKINIT module contained code to read the
pkinit_win2k variable, but never used it. Get rid of the structure
field and the code to populate it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
profile_flush_to_buffer, profile_flush_to_file, profile_free_buffer,
profile_init_flags, and profile_init_vtable are all public profile
functions, but are inaccessible to libkrb5 applications on some
platforms because they were never added to the export list. Add them
now.
(libprofile functions have never been part of the Windows DLL export
list, so do not change krb5_32.def at this time.)
ticket: 7930 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
| |
After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket
(with enc_part2 if we could decrypt it) is accessible via
request->ticket; there is no need to copy it. Stop using the ticket
parameter of those functions. Where we need to save the ticket beyond
the lifetime of the krb5_ap_req, steal the pointer before freeing the
request.
|
|
|
|
|
|
|
| |
Add a test case which performed a TGS request with an expired ticket
and checks that the client principal is logged.
ticket: 7910
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix KDC logging to include client principal in TGS_REQ logging even
during error conditions such as "Ticket expired". As long as the
TGS_REQ can be decrypted and the client principal is available, it
should be included in the log, regardless of other errors which might
be detected.
krb5_rd_req_decoded and krb5_rd_req_decoded_anyflag (not public
interfaces) now leave the decrypted ticket in req->ticket->enc_part2
on success or failure, if the ticket was successfully decrypted. This
does not affect the behavior of krb5_rd_req.
[ghudson@mit.edu: removed extraneous change, added commit message
summary and description of internal API change, fixed possible memory
leak, removed comment and #if 0 code block of purely historical
interest]
ticket: 7910
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Several new GSS-API methods were added but GSSAPI_ADD_METHOD was
called to add them rather than GSSAPI_ADD_METHOD_NOLOOP. This means
that the implementation from the GSS-API mechglue would be used if the
mechanism had no implementation. As a result, the mechglue will call
into itself exhausting the call stack in an endless loop when one of
these methods is called.
ticket: 7926
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
ticket: 7919
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.
This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.
Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.
ticket: 7919
|
|
|
|
|
|
| |
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity. Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
|
|
|
|
|
|
| |
This is just a shorter internal name for krb5_set_error_message. The
full name is so long that we have to wrap error messages more than
we'd like.
|
|
|
|
|
| |
It wasn't being used and it added too much complexity to the
error-handling functions.
|
|
|
|
|
|
|
|
|
|
| |
Always read /etc/gss/mech, even if globbing /etc/gss/mech.d/*.conf
doesn't work. Doing this using GLOB_DOOFFS proved error-prone, so use
a simpler approach: factor out the per-pathname handling into a helper
function load_if_changed, call it with MECH_CONF before the glob, then
pass each glob result through the helper.
ticket: 7925
|
|
|
|
|
|
|
|
|
| |
This feature was never implemented in the PKINIT code as it was
contributed; there was only stub support for reading the filename.
ticket: 7928 (new)
target_version: 1.12.2
tags: pullup
|
|
|
|
|
|
| |
As contributed, the PKINIT code contained code to read a mapping
filename, but never used the resulting structure variable. Get rid of
the structure field and the code to populate it.
|
|
|
|
|
|
|
|
| |
Exercise the MS-KKDCP client support using the test proxy server, for
AS, TGS, and kpasswd requests while also checking the certificate
verification and name checks.
ticket: 7929
|
|
|
|
|
|
|
|
| |
This proxy server uses python-paste to run the kdcproxy from
https://pypi.python.org/pypi/kdcproxy. It should be used along
with the proxy.pem certificate in ../tests/dejagnu/proxy-certs.
ticket: 7929
|
|
|
|
|
|
|
| |
Expose the formerly-internal _runenv module as k5test.runenv, so that
settings we store in the top-level runenv.py will be available to them.
ticket: 7929
|
|
|
|
|
|
|
|
|
| |
Add some longer-form documentation for the new HTTPS support, walking a
prospective administrator through generating a bare minimal signing
setup, deploying a WSGI-based proxy server onto an Apache httpd server
using mod_ssl and mod_wsgi, and configuring clients to use it.
ticket: 7929
|
|
|
|
|
|
|
|
| |
When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.
ticket: 7929
|