| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Define internal names k5_prendmsg and k5_wrapmsg and use them where we
amend error messages. This slightly changes the error message when we
fail to construct FAST AP-REQ armor, decrypt a FAST reply, or store
credentials in a gic_opts output ccache. Adjust the test suite for
the latter of those changes.
[ghudson@mit.edu: define and use internal names for brevity; pull in
test fix from later commit; expand commit message; fix redundant
separators in LDAP messages]
ticket: 8046
|
| |
|
|
|
|
|
| |
Now that add_key_rnd isn't looking up the TGT principal entry, it
could use retval before initializing it if the loop runs for zero
iterations. Get rid of the add_key_rnd label (as it no longer does
anything) and just return 0 after the loop ends.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In add_key_rnd, stop looking up the krbtgt DB entry; we have not used
it since 1.1.
Use copy_key_data in add_key_rnd and add_key_pwd.
krb5_dbe_crk, krb5_dbe_ark, krb5_dbe_def_cpw, and krb5_dbe_apw all
contained similar logic. Consolidate all of them into a static helper
function which does the work of all four. The ark/apw variants had
slightly different behavior then crk/cpw with keepold=true, so
introduce a three-value enum to express all three behaviors.
|
| |
|
|
|
|
|
|
|
|
|
| |
When we are preserving old key data in kdb_cpw.c, ensure that it is
encrypted with the same master key as the new key data. This ensures
that the KRB5_TL_MKVNO tl-data on the principal entry applies to all
of the key data, not just some of it.
ticket: 7995
target_version: 1.13
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Now that an iprop full dump might not hold a lock around the entire
dump, it's possible that iprop will queue an incremental update while
the dump is in progress. If a principal is deleted while the dump is
in progress, the dump could omit that principal, yet the deletion
event would still be queued in the ulog. Ignore that deletion without
generating an error.
This is the same basic change as for ticket #7753.
ticket: 7977
|
| |
|
|
|
| |
ticket: 7977 (new)
subject: Enable unlocked KDB iteration
|
| |
|
|
|
|
|
|
| |
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
|
| |
|
|
|
|
|
|
|
| |
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
ticket: 7961
|
| |
|
|
|
|
| |
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity. Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Factor out most of ulog_add_update into a helper function named
store_update, and make ulog_add_update just responsible for assigning
a serial number and timestamp to the update before storing it. In
ulog_replay, use store_update and ulog_finish_update to add each
update to the ulog in addition to replaying it to the database. Don't
use incr_ret->lastentry to set kdb_last_sno/kdb_last_time, since it
will have been set properly by adding the individual updates; instead,
just reinitialize the ulog on error.
Slave ulogs use serial numbers provided from upstream, and thus do not
always begin at serial number 1 after a header reset. As a result, we
must: (A) in store_update, detect the first update (for which we must
assign kdb_first_sno/kdb_first_time) by comparing kdb_num to 0,
instead of by comparing the serial number to 1; (B) in store_update,
detect that we are overwriting the first update by comparing kdb_num
to ulogentries, instead of comparing the serial number to ulogentries;
and (C) in ulog_map, detect that ulogentries changed by verifying the
first and last serial number and timestamp against the actual ulog
entries, rather than simply comparing kdb_last_sno to kdb_num.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of the caller parameter. The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog. With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.
Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.
Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis. If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file. Remove an unneeded conditional before
calling extend_file_to for an existing ulog.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always lock the ulog when accessing it. We can currently get away
with some laxness on iprop slaves because they are mostly synchronous,
but hierarchical iprop will allow master and slave operations to take
place concurrently, requiring more strict locking.
Add new functions ulog_get_last and ulog_set_last, which access the
ulog header with locking, and use them in kdb5_util and kpropd. Add
locking to ulog_replay and ulog_init_header.
ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c
after these changes, so make them static functions and remove the
ulog_ prefix. Add an unlock_ulog function for clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
ticket: 7861
|
| |
|
|
|
| |
When t_stringattr.c was introduced, it wasn't added to EXTRADEPSRCS,
so no dependencies were created for it. Fix that now.
|
| |
|
|
|
|
|
| |
Call krb5_get_default_realm instead of directly accessing
context->default_realm, to remove the requirement that
krb5_get_default_realm or krb5_set_default_realm be used before
krb5_db_open.
|
| |
|
|
|
|
|
|
| |
ulog_get_entries does not access the KDB, only the ulog, so it does
not need a KDB lock; its read lock on the ulog is sufficient to
prevent logged updates from happening while it is running. There is
no reason to serialize against unlogged KDB updates such as those
performed by the KDC, as those do not affect the ulog.
|
| |
|
|
|
|
|
| |
Always map the ulog with FKCOMMAND, not FKLOAD which reinitializes the
ulog. Don't reinitialize the ulog until just before calling
krb5_db_promote(). Get rid of FKLOAD since it isn't needed any more;
we can just call ulog_init_header() manually.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Don't use "extern" for kdb_log.h prototypes.
* Avoid passing structures by value.
* Avoid the need to cast the result of the INDEX macro, and use char *
instead of unsigned long for pointer arithmetic.
* Reorganize kdb_log.c so static helpers are at the top and don't use
the "ulog_" prefix.
* Get rid of ulog_finish_update_slave since it's more concise to
open-code it in ulog_replay.
* Get rid of ulog_delete_update. In krb5_db_delete_principal, just
call ulog_add_update with kdb_deleted set in upd.
* Modernize coding style of kproplog.c. Use k5memdup0 instead of
snprintf in print_str to convert a byte range to a C string.
Remove an unnecesary textdomain call; libkrb5 takes care of calling
bindtextdomain in the library initializer.
* Modernize coding style of kpropd.c and kprop.c.
No functional changes.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If a process terminates in the middle of a logged database update, it
will release its lock and leave the ulog in the KDB_UNSTABLE state.
kadmind should notice this when it calls ulog_get_entries, but right
now it only checks for the KDB_CORRUPT state (which is never set any
more) and does not recover. Check for any state other than KDB_STABLE
and recover by resetting the ulog and forcing full resyncs to slaves.
ticket: 7853 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
Add a unit test program named t_ulog. Make it map a ulog file, set up
header state where kdb_last_sno is the last serial number, and then
add an empty update. Check that the result is a ulog header with one
update at serial number 1.
ticket: 7839
|
| |
|
|
|
|
|
|
|
|
|
| |
When we wrap the serial number, reinitialize the ulog so that kdb_num
starts counting from 1, instead of leaving the ulog in a weird state
where kdb_num == ulogentries but kdb_last_sno == 1 and the serial
numbers in the circular array aren't necessarily contiguous.
ticket: 7839 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Many libc implementations include notations to the linker to generate
warnings upon references to mktemp(3), due to its potential for
insecure operation. This has been the case for quite some time,
as was noted in RT #6199. Our usage of the function has decreased
with time, but has not yet disappeared entirely. This commit
removes the last few instances from our tree.
kprop's credentials never need to hit the disk, so a MEMORY ccache
is sufficient (and does not need randomization).
store_master_key_list is explicitly putting keys on disk so as to
do an atomic rename of the stash file, but since the stash file
should be in a root-only directory, we can just use a fixed name
for the temporary file. When using this fixed name, we must detect
(and error out) if the temporary file already exists; add a test to
confirm that we do so.
ticket: 1794
|
| |
|
|
|
|
|
|
|
|
|
| |
The comment previously failed to match the behavior. The intent was
that if we failed to write out the entire stash file into the
temporary location, we should remove the partial file. However, the
code was actually checking whether the *real* stash file existed,
not whether the temporary one existed.
It is safe to always try to unlink the partial file, and not worry
about whether it already exists.
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_dbe_lookup_mkey_aux was decoding a 16-bit value directly into an
int, resulting in the wrong value on big-endian platforms. The
consequences are mostly invisible because we ignore this field and try
all mkey_aux nodes in krb5_def_fetch_mkey_list.
ticket: 7738 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
In add_key_pwd, initialize s2k_params to NULL inside the loop over
enctypes instead of outside the loop, so that if the afs3 salt type
is used it does not contaminate later enctype/salt pairs in the list.
ticket: 7733
tags: pullup
target_version: 1.12
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Starting with 1.7, databases are created with actkvno tl-data in the
K/M entry which gives the initial master key version an activation
time of 0. A database created before 1.7 will not have this tl-data,
but we should behave in the same way as we do for a more recent
database.
Move the actkvno list synthesis code from krb5_dbe_fetch_act_key_list
to krb5_dbe_lookup_actkvno so it applies to kdb5_util commands as well
as libkadm5. Synthesize the same list as we would have initialized
the KDB with, with an activation time of 0 for the earliest master
key.
ticket: 7686
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
| |
Refactor krb5_dbe_find_act_mkey and make it reload the master key list
if it doesn't find a master key matching the active mkvno.
ticket: 7685
|
| |
|
|
|
|
|
|
| |
When we allocate space for an array of key_data structures, make sure
we allocate at least one, so we don't spuriously fail on platforms
where malloc(0) returns NULL. Where we use malloc, use k5calloc
instead. Where we use krb5_db_alloc or realloc, just allocate an
extra entry.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage. A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.
Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites. Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Found by clang's warnings.
ticket: 7591 (new)
target_version: 1.11.2
tags: pullup
|
| |
|
|
|
|
| |
Rename the krb5int_buf_ family of functions to use the k5_ prefix for
brevity. Reformat some k5buf implementation code to match current
practices.
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
| |
Check the ulog pointer, which is a little more direct, rather than the
ulogfd field. (ulogfd is currently initialized to 0 prior to
ulog_map; we could fix that instead, but this feels simpler.)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The db2 DB is not power-fail safe. There's no point trying to
replay an incompletely committed entry from the ulog at kadmind
startup time. For that matter, even if the db2 DB was power-fail
safe there'd be no point replaying an uncommitted entry from the
ulog as the libkadm5srv app (nor any client of it, as in the case of
kadmind) will not have received any notice of success -- it'd be
wrong to complete that operation later when the user thought it'd
failed.
[ghudson@mit.edu: merge with master, adjust comment]
ticket: 7552 (new)
|
| |
|
|
|
|
|
|
| |
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
ticket: 7522
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
ticket: 7550 (new)
|
| |
|
|
|
| |
ulog_get_entries had an unreachable branch which was removed during
de-indentation.
|
| |
|
|
|
|
|
|
|
|
|
| |
Add a helper predicate to determine whether to log operations. In the
predicate, check if the ulog is actually mapped. Use a single cleanup
label in krb5_db_put_principal. Use a cleanup label in
krb5_db_delete_principal instead of releasing resources individually
at each exit point. Avoid locking and unlocking the ulog if we're not
logging (although it would be a no-op).
Based on a patch from Nico Williams <nico@cryptonector.com>.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave. This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.
Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one. The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| | |
|
| |
|
|
|
|
| |
We made two sets of incompatible changes to the DAL and libkdb5 API
during development for 1.11 (master key list simplification and policy
extensions), so increment the appropriate version numbers.
|
| |
|
|
|
|
| |
Not really: only when the KDB backend lacks a delete method. Still.
ticket: 7403
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If a kdb5_util load gets killed between rename()ing the new KDB file
into place and resetting the iprop ulog then the ulog can reflect the
pre-load state, which will almost certainly be incorrect.
This matters because we want to impose a timeout on full resyncs in
kpropd when iprop dictates that a full resync is needed, and the
simplest timeout scheme involves signaling the kdb5_util load process.
But also, we want no such races in general.
The fix is simple: re-initialize the ulog before renaming the new KDB
file into place, then proceed as usual. If the ulog is not properly
updated at the end of the load it will at least always result in
subsequent iprop get updates operations always indicating that a full
resync is required.
ticket: 7399
|