| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
| |
By setting the timeout based on the credetial's timeout we let the
system automatically cleanup expired credentials.
[ghudson@mit.edu: simplified code slightly]
ticket: 7769 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The code follows the same model used for the memory ccache type. Time
offsets are stored in each credential cache in a special key just like
the principal name. Legacy session caches do not store timestamps as
legacy code would fail when iterating over the new offset key.
[ghudson@mit.edu: minor formatting changes; note legacy session
exception in commit message]
ticket: 7768 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When parsing what should be a UID while resolving a KEYRING ccache
name, don't just depend on strtol() to set errno when the residual
that we pass to it can't be parsed as a number. In addition to
checking errno, pass in and check the value of an "endptr".
[ghudson@mit.edu: simplified slightly]
ticket: 7764 (new)
target_version: 1.12
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In ure.c, though k is a short, the literal 1 is of type 'int', and
so the operation 'k + 1' is performed at the (32-bit) width of int,
and therefore the "%d" format string is correct.
In accept_sec_context.c, the 'length' field of krb5_data is an
unsigned type, so checking for a negative value has no effect.
In net-server.c, the helper routine rtm_type_name() is only used
in code that is disabled with #if 0 conditionals; make the
definition also disabled in the same way to avoid warnings of an
unused function.
In kdc_authdata.c, equality checks in double parentheses elicit
a warning from clang. The double-parentheses idiom is normally used
to indicate that an assignment is being performed, but the value of
the assignment is also to be used as the value for the conditional.
Since assignment and equality checking differ only by a single
character, clang considers this worthy of a warning. Since the extra
set of parentheses is redundant and against style, it is correct to
remove them.
In several places (sim_server.c, dump.c, kdb5_destroy.c,
ovsec_kadmd.c), there are declarations of extern variables relating
to getopt() functionality that are now unused in the code. Remove
these unused variables.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The kprop code has been pretty unloved, and uses some routines that
are marked as deprecated (which show up as warnings in the build log).
Use the documented replacement for krb5_get_in_tkt_with_keytab,
krb5_get_init_creds_keytab, instead. As a bonus, there is no longer
a side effect of a credentials cache that needs to be destroyed.
The also-deprecated function krb5_get_in_tkt_with_skey was backending
to it when no keyblock was passed in; we can unroll the call to
krb5_get_init_creds_keytab ourselves as the documented workaround.
While here, improve style compliance with regards to cleanup.
The setkey test just wants to know whether it can use the key it
just put into a keytab to get credentials; as such the recommended
krb5_get_init_creds_keytab is quite sufficient.
While here, use that interface to request the particular enctype
as well, reducing the scope of an XXX comment.
ticket: 6366
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
draft-ietf-krb-wg-pkinit-alg-agility-07 specifies
KDC_ERR_NO_ACCEPTABLE_KDF as 82, but this value conflicts with
KRB_AP_ERR_PRINCIPAL_UNKNOWN from RFC 6111. The former value has been
reassigned to 100 to fix the conflict. Use the correct value.
We believe that this error won't crop up in practice for a long time
(when SHA-2 has been superceded by other hash algorithms and people
are desupporting it), by which time implementations will mostly have
been upgraded to use the new value.
ticket: 7715 (new)
target_version: 1.12
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the keyctl command is found and klist recognizes the KEYRING
credential cache type, then run several tests against keyring ccaches:
the collection test program in lib/krb5/ccache, the command-line
collection tests in tests/t_ccache.py, and some new tests to verify
legacy session cache behavior. Much of the Python code in t_ccache.py
is moved into a new function named "collection_test" so we can run it
once against a DIR collection and once against a KEYRING collection.
Also: fix a memory leak in the collection test program; add a test for
iteration when the default cache name is a subsidiary name; use a
process keyring ccache in t_cc.c to avoid leaving behind empty
collections in the session keyring after each test run.
Adapted from a patch by simo@redhat.com.
ticket: 7711
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the new anchor names persistent, user, and session.
The persistent anchor attempts to use a persistent keyring for a
specified uid, and falls back to the user keyring if it cannot; the
collection is stored at a fixed name within the persistent or user
keyring. The session anchor uses the session keyring without legacy
semantics.
For all keyring types except legacy, attempt to use the "big_key" key
type on systems which have keyctl_get_persistent. (They are
essentially unrelated features, but were added at the same time.)
This key type is stored in a kernel tmpfs and can store larger
tickets.
Since kernel commit 96b5c8fea6c0861621051290d705ec2e971963f1, new keys
created by add_key() only have VIEW permission for the user, and the
rest of the permissions require "possession," which means there is a
path from the thread, process, or session keyring to the key. For the
user and persistent anchor types, we link the collection into the
process keyring to ensure that we have a possession rights on the
collection.
Adapted from a patch by simo@redhat.com.
ticket: 7711
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Augment the KEYRING ccache type to support collection semantics
similar to those of the DIR type. For keyrings with no anchor prefix,
maintain compatibility with old code by linking the initial primary
cache directly from the session keyring and naming it after the
collection.
See http://k5wiki.kerberos.org/wiki/Projects/Keyring_collection_cache
for more information. Adapted from a patch by simo@redhat.com.
ticket: 7711 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Consistently use "cache_name" and "cache_id" to talk about the name
and ID of the keyring containing the cache. In krb5_krcc_resolve, use
"residual" for the residual string as we are no longer using it for
the cache keyring name, and use "anchor_id" for the keyring identified
by the prefix to make it clear that it is not the cache keyring.
Adapted from a patch by simo@redhat.com.
|
| |
|
|
|
|
|
|
|
|
| |
If we resolve a KEYRING cache and the key does not exist, wait until
initialize time to create it, to avoid wasting precious kernel memory
on a cache which might not ever be created. Properly error out if
store_cred or start_seq_get is called on an uninitialized cache, as we
would for a FILE cache.
Adapted from a patch by simo@redhat.com.
|
| |
|
|
|
|
| |
Create a new test program in lib/krb5/ccache named t_cccol.c which
verifies collection semantics using the API. Run it with an empty DIR
collection in t_cccol.py.
|
| |
|
|
|
| |
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
|
| |
|
|
|
|
|
|
| |
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|
| |
|
|
|
|
|
|
|
|
| |
This code can be simplified (and a potential race avoided) by using
keyctl_read_alloc() and letting it allocate the necessary memory.
This also allows to remove a helper function that is not used anymore
as well as make the code more readable. The only penalty is that we
have two allocations instad of one.
[ghudson@mit.edu: trivial simplifications]
|
| |
|
|
|
|
|
|
|
| |
numkeys is never really used in the single cache data structure.
Every time a new iteration is started, numkeys is recalculated anyway,
and then only the copy held in the cursor is used. Remove it from the
cache data and keep it only in the cursor.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This feature was intended to be used by gssd to access users' keyring
credentials, but it was never used.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
|
|
|
|
| |
krb5_cc_get_name() should allow the caller to reconstruct the full
cache name. That is not possible if thread: and process: are omitted
here. (The saved name is not used by anything except
krb5_krcc_get_name, so this change is safe.)
[ghudson@mit.edu: proofread and clarified commit message]
ticket: 7692 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Support credentials larger than 4K in cc_keyring.c by calculating the
payload size in one pass, allocating a buffer of precisely the right
size, and then unparsing into that buffer.
[ghudson@mit.edu: squashed two commits; rewrote message; added length
field instead of doing pointer arithmetic on null pointers; used
proper English comments and clarified what code they apply to.]
|
| |
|
|
|
|
|
| |
Move the remaining internal functions from hst_realm.c to hostrealm.c,
and get rid of hst_realm.c.
ticket: 7687
|
| |
|
|
|
|
|
|
|
| |
Reimplement krb5_get_host_realm, krb5_get_fallback_host_realm, and
krb5_get_default_realm in terms of the hostrealm interface. Three
built-in modules (dns, domain, and profile) implement the current
behavior.
ticket: 7687
|
| |
|
|
| |
ticket: 7687 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
It has been unconditionally activated by all supported build systems
for almost two years, and no complaints or issues have been reported.
In particular, aclocal.m4 has had an unconditional AC_DEFINE() since
3d708e55 in 2003, and win-pre.in has unconditionally set KRB5_USE_DNS_KDC
since 17ffebf7 in 2011.
While here, simplify some other DNS conditionals in win-pre.in where
only one branch was ever taken.
ticket: 7691 (new)
|
| |
|
|
|
| |
localauth modules were not freed by krb5_free_context(), causing a
memory leak.
|
| |
|
|
|
|
| |
Rename krb5_try_realm_txt_rr (an internal function despite the name)
and add a context parameter. Generate trace logs when we successfully
look up a record and when a record is not found.
|
| | |
|
| |
|
|
|
|
|
| |
The credential serialization functions do not operate on a ccache, so
do not need it as an argument.
[ghudson@mit.edu: clarified commit message, rewrapped shortened lines]
|
| |
|
|
| |
Based on a patch from simo@redhat.com.
|
| |
|
|
|
|
|
| |
The commented code in question is present in set_conn_state_msg_length
which is called immediately after the comments.
[ghudson@mit.edu: clarified commit message]
|
| |
|
|
|
|
|
| |
This field is redundant with addr.type.
[ghudson@mit.edu: removed extraneous changes; clarified commit
message]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add wrappers for the JSON-oriented APIs for PKINIT responder items,
modeled after the API we provide for OTP items:
* krb5_responder_pkinit_get_challenge() returns the list of
identities for which we need PINs
* krb5_responder_pkinit_challenge_free() frees the structure that
was returned by krb5_responder_pkinit_get_challenge()
* krb5_responder_pkinit_set_answer() sets the answer to the PIN for
one of the identities
[ghudson@mit.edu: style cleanup; added comment pointing to main body
of PKINIT module]
ticket: 7680
|
| |
|
|
|
| |
Wherever we use k5alloc with a multiplication in the size parameter,,
use the new k5calloc helper function instead.
|
| |
|
|
|
| |
The previous few commits introduced a couple of bugs where variables
could be used without being initialized. Fix them.
|
| |
|
|
|
|
|
| |
Register built-in localauth modules in the order we want them used by
default, and document accordingly.
ticket: 7665
|
| |
|
|
|
|
|
|
| |
Rewrite the plugin internals so that modules have a well-defined
order--either the order of enable_only tags, or dynamic modules
followed by the built-in modules in order of registration.
ticket: 7665 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In the k5_sendto code for reading from a TCP socket, detect
end-of-stream when reading the length. Otherwise we can get stuck in
an infinite loop of poll() and read().
[ghudson@mit.edu: commit message]
ticket: 7508
target_version: 1.11.4
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Calculate request timestamps each time we encode a request, and use
the adjusted current time when calculating them, including adjustments
resulting from preauth-required errors early in the AS exchange.
As a side effect, this reverts one of the changes in commit
37b0e55e21926c7875b7176e24e13005920915a6 (#7063); we will once again
use the time adjustment from any ccache we read before the AS
exchange, if we don't have a more specific adjustment from a
preauth-required error.
Based on a patch from Stef Walter.
ticket: 7657 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Create helper functions to set the request nonce and to set the
request timestamp. Don't bother picking a nonce in
restart_init_creds_loop since we will just pick a new one in
init_creds_step_request. Create a library-internal function to get
the current time with possible adjustment from a preauth-required
error. Only set ctx->request_time in one place (just before encoding
each request). Remove unused parameters from stash_as_reply.
Partially based on a patch from Stef Walter.
|
| |
|
|
|
|
|
|
|
|
| |
Commit 37b0e55e21926c7875b7176e24e13005920915a6 (#7063) prevented
clock skew caused by preauth delay by recording the time of the
initial request. However, it failed to take into account delay
between requests due to prompting during preauthentication. Fix this
by recording the request time for each request.
ticket: 7656 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If we make multiple requests in an initial creds exchange, the
krb5_sendto_kdc call in k5_init_creds_get may flip the use_master
value from 0 to 1 if it detects that the response was from a master
KDC. Don't turn this into a requirement for future requests during
the same exchange, or we may have trouble following AS referrals.
Reported by Sumit Bose.
ticket: 7650
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.
Remove the kadm5 test which explicitly uses an empty password.
Based on a patch from Stef Walter.
ticket: 7642
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.
To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.
Based on a bug report and patch from nalin@redhat.com.
ticket: 7639
target_version: 1.11.3
tags: pullup
|
| |
|
|
|
|
|
|
|
|
| |
Create macros to declare a DNS search handle, initialize a handle,
perform a search, and destroy a handle. On OS X, use the native
dns_open, dns_search, and dns_free functions, since using the res_*
interfaces may not contact the correct servers. On systems with
res_ninit, use res_nclose if we don't have res_ndestroy.
Based on a patch by Nate Rosenblum.
|
| |
|
|
|
|
|
|
|
| |
Provide default values in pre.in for PROG_LIBPATH, PROG_RPATH,
SHLIB_DIRS, SHLIB_RDIRS, and STOBJLISTS so that they don't have to be
specified in the common case. Rename KRB5_RUN_ENV and KRB5_RUN_VARS
to RUN_SETUP (already the most commonly used name) and RUN_VARS. Make
sure to use DEFINES for local defines (not DEFS). Remove some other
unnecessary makefile content.
|
| |
|
|
|
| |
Catch a few stragglers that missed the memo that k5_mutex_lock
cannot fail, and sprinkle some cc-int.h as needed.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Locking and unlocking a non-recursive mutex is a simple memory
operation and should not fail on any reasonable platform with correct
usage. A pthread mutex can return EDEADLK on lock or EPERM on unlock,
or EINVAL if the mutex is uninitialized, but all of these conditions
would reflect serious bugs in the calling code.
Change the k5_mutex_lock and k5_mutex_unlock wrappers to return void
and adjust all call sites. Propagate this change through
k5_cc_mutex_lock and k5_cc_mutex_unlock as well.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When building for IOS targets with clang, the stdbool.h header is
included by default. This header includes the following C99
definition:
#define bool _Bool
which wrecks havoc with the DEFBOOLTYPE macro.
ticket: 7525
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We want to generate a KRB5_AP_ERR_TKT_EXPIRED code when the TGT is
expired, like we would if we tried the TGT against the KCD. To make
this work, separate the helpers for getting local and crossrealm
cached TGTs. For a crossrealm TGT, match against the endtime, as
there could be multiple entries. For a local TGT, find any match, but
check if it's expired. The cache_code field is no longer needed after
this change, so get rid of it.
ticket: 6948
|
