| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
Fix some small memory leaks which happen only in rare failure
conditions. Reported by Will Fiveash <will.fiveash@oracle.com>.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Move internal declarations from k5-int.h to more localized headers
(like int-proto.h) where appropriate. Rename many symbols whose
prototypes were moved to use the k5_ prefix instead of krb5int_.
Remove some unused declarations or move them to the single source file
they were needed in. Remove krb5_creds_compare since it isn't used
any more.
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
|
|
|
| |
Commit c072b059ecff257e7600be0e86869decd135d422 did not have the
intended effect because, at the point where is_referral is set,
request->server has already been modified to contain server->princ.
ticket: 7555
status: open
|
| |
|
|
|
|
|
|
|
| |
A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client. Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.
ticket: 7555 (new)
|
| |
|
|
|
|
|
| |
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
|
| |
|
|
|
|
| |
Stop using macros to refer to kdc_realm_t fields, as they could
conflict with structure field names for the same. Leave behind the
kdc_context and tgs_server macros for now.
|
| |
|
|
|
|
|
| |
krb5_realm_params is only consumed by the KDC (everything else uses
kadm5_config_params), so only needs to contain fields used by the KDC.
Get rid of everything else. Also get rid of realm_profile, which is
read in by KDC code but never used (and was never set anyway).
|
| |
|
|
|
|
|
|
|
|
|
| |
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
ticket: 7539 (new)
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
| |
adm.h predates the ovsec kadm5 integration. It contains a bunch of
obsolete defines and a redundant definition of krb5_realm_params. Get
rid of it, and include <kadm5/admin.h> where we currently include it.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
| |
In prepare_error_tgs, kdc_free_rstate, and kdc_fast_handle_error,
remove unnecessary null checks. The callers avoid passing null
states, and in each case we've already dereferenced the pointer
earlier. Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7511
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7488
|
| |
|
|
|
|
|
|
|
|
| |
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
ticket: 7483
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
| |
[ghudson@mit.edu: avoid verto.h header dependency; minor fixes]
ticket: 7426 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
| |
The old man pages are gone, so we can't install them anymore.
Also clean up install and install-unix targets that were installing
the old man pages by hand.
|
| |
|
|
|
|
|
| |
We generate man pages from RST sources now; they are checked into
the tree in src/man/.
The gen-manpages directory is no longer needed.
|
| | |
|
| | |
|
| |
|
|
|
| |
Refactor some of the second-ticket handling and session key
generation out of process_tgs_req().
|
| |
|
|
|
|
|
| |
Clean up domain->realm referrals by breaking prep_reprocess_tgs_req()
into smaller functions. Give the resulting functions more descriptive
names. Also delete an unnecessary and almost exact copy of
krb5_get_host_realm().
|
| |
|
|
|
|
| |
The service principal database entry search logic in process_tgs_req()
was excessively complex, containing questionable uses of "goto", along
with deeply nested control flow. Refactor it into smaller functions.
|
| | |
|
| |
|
|
|
|
|
| |
Break validate_tgs_request() into smaller functions. Collect related
checks into helper functions. As a result, some invalid requests with
multiple problems can produce different error messages. This is
probably not a problem for most situations.
|
| |
|
|
|
|
|
| |
add_to_transited() is fairly large, and also fairly independent of the
other contents of kdc_util.c. Move it into kdc_transit.c. Also
simplifies the building of rtest by removing dependencies that
kdc_util.c previously needed to satisfy undefined symbols.
|
| | |
|
| |
|
|
|
|
| |
Make kdc_active_realm a local variable in every function that needs
it. Pass it around in various state structures as needed. Keep the
macros that reference its members remain for now.
|
| |
|
|
|
|
|
| |
Too many parts of the KDC rely on the global variable
kdc_active_realm. rtest.c doesn't actually need any of the
KDC-specific information that's avaiable through kdc_active_realm, so
delete references to it.
|
| |
|
|
|
|
|
| |
RFC 4120 section 7.3 says that TGS principal names have two
components. Make krb5_is_tgs_principal() and is_cross_tgs_principal()
enforce this constraint. Code elsewhere in the KDC already checks for
two components anyway.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Changes in r25660 inadvertently failed to insert TGS-REPs into the
lookaside cache. Call finish_dispatch_cache() at the end of
dispatch() to handle this case.
ticket: 7388 (new)
target_version: 1.10.4
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
ticket: 7358 (new)
|
| |
|
|
| |
Commit r21692 removed the KRB5_KDB_NON_MS_PRINCIPAL flag.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
ticket: 7225 (new)
target_version: 1.9.5
tags: pullup
|
| | |
|
| |
|
|
|
| |
The KDC doesn't obviously call make_toolong_error(), but some code in
net-server.c (which is linked into the KDC) does. Document this fact.
|
| |
|
|
|
|
|
|
|
|
|
| |
Previously, if configure did not detect dgettext(), we disabled
anything that smelled like localization, inadvertently including
setlocale(). Now that we use setlocale(LC_ALL, ""), we have
localized dates available as well as messages, so we should not
disable calls to setlocale() any more.
Since the routines from locale.h are only used in a relatively
small number of places, just include the header directly in those
files and remove it from k5-platform.h.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES. Calls to setlocale() itself were introduced in
fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME). If potentially
localized data is being sent on the wire, that is a bug that should
be fixed. No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.
ticket: 7192
|
| |
|
|
|
| |
Use the provided krb5_context, not kdc_context, which isn't valid when
kdc_free_lookaside() is called.
|
| |
|
|
|
|
|
|
|
|
|
| |
Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.
ticket: 7190
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.
Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.
Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.
ticket: 7190 (new)
|
| |
|
|
|
|
|
|
| |
Add a preprocessor constant LOOKASIDE_MAX_SIZE (defaulting to 10MB)
which limits the total size of the lookaside cache entries. Purge
stale entries in kdc_insert_lookaside instead of kdc_check_lookaside,
and when doing so, continue purging non-stale entries until the total
cache size (including the new entry) is within the size constraint.
|
| |
|
|
|
| |
Use krb5_data structures instead of pointers in the entry structure,
reducing the number of memory allocations.
|
| |
|
|
| |
The etypes list was never freed. Also use k5_etypes_contains.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
