| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
| |
Include autoconf.h (either directly or via proxy) before system
headers, so that feature test macros defined there can affect the
system namespace. Where include order was changed, eliminate some
redundant or unnecessary includes.
ticket: 7961
|
| |
|
|
|
|
|
|
| |
Take advantage of the strerror_r portability wrapper to simplify code
using it. Remove unused macros related to strerror_r in
ldap_service_stash.c and plugins.c.
ticket: 7961
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Remove code to set or reference the length fields of socket addresses
(sa_len/sin_len/sin6_len), since they aren't portable and setting them
is not required. Remove autoconf tests for those fields which are no
longer used or which were never used.
There is one exception: in localaddr.c, we still neeed to reference
sa_len for the definition of ifreq_size on platforms which have
sa_len. Leave that behind, along with the autoconf test which defines
SA_LEN.
|
| |
|
|
|
|
|
| |
In socket-utils.h, replace the socklen macro with an inline function
sa_socklen which always uses the address family, even on platforms
with the sa_len sockaddr field. This removes the need to set sa_len
in socket addresses we construct.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If krb5_get_tgs_ktypes fails (due to an out-of-memory condition or an
error re-reading the profile), k5_make_tgs_req will dereference a null
pointer. Check the return value before dereferencing defenctypes.
[ghudson@mit.edu: clarified commit message]
ticket: 7952 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail. Remove that logic.
Based on a patch from Jatin Nansi.
ticket: 7948 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Get rid of the address union. Store the result of get_cert_cn in a
signed variable so we can meaningfully check for negative results.
Make get_cert_cn return int for consistency with
X509_NAME_get_text_by_NID and its two callers.
Also add an emacs mode line to the top of the file.
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
profile_flush_to_buffer, profile_flush_to_file, profile_free_buffer,
profile_init_flags, and profile_init_vtable are all public profile
functions, but are inaccessible to libkrb5 applications on some
platforms because they were never added to the export list. Add them
now.
(libprofile functions have never been part of the Windows DLL export
list, so do not change krb5_32.def at this time.)
ticket: 7930 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
After krb5_rd_req_decoded or krb5_rd_req_decoded_anyflag, the ticket
(with enc_part2 if we could decrypt it) is accessible via
request->ticket; there is no need to copy it. Stop using the ticket
parameter of those functions. Where we need to save the ticket beyond
the lifetime of the krb5_ap_req, steal the pointer before freeing the
request.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fix KDC logging to include client principal in TGS_REQ logging even
during error conditions such as "Ticket expired". As long as the
TGS_REQ can be decrypted and the client principal is available, it
should be included in the log, regardless of other errors which might
be detected.
krb5_rd_req_decoded and krb5_rd_req_decoded_anyflag (not public
interfaces) now leave the decrypted ticket in req->ticket->enc_part2
on success or failure, if the ticket was successfully decrypted. This
does not affect the behavior of krb5_rd_req.
[ghudson@mit.edu: removed extraneous change, added commit message
summary and description of internal API change, fixed possible memory
leak, removed comment and #if 0 code block of purely historical
interest]
ticket: 7910
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
ticket: 7919
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
| |
Replace most calls to krb5_set_error_message with k5_setmsg for
brevity. Leave alone plugin sources where we don't include k5-int.h
(mostly PKINIT).
|
| |
|
|
|
| |
It wasn't being used and it added too much complexity to the
error-handling functions.
|
| |
|
|
|
|
|
|
| |
When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.
ticket: 7929
|
| |
|
|
|
|
|
|
| |
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart. We only check the [realms] section, though.
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add an 'HTTPS' transport type which connects to an [MS-KKDCP] proxy
server using HTTPS to communicate with a KDC. The KDC's name should
take the form of an HTTPS URL (e.g. "https://proxybox/KdcProxy").
An HTTPS connection's encryption layer can be reading and writing when
the application layer is expecting to write and read, so the HTTPS
callbacks have to handle being called multiple times.
[nalin@redhat.com: use cleanup labels, make sure we always send the
realm name, keep a copy of the URI on-hand, move most of the
conditionally-compiled sections into their own conditionally-built
functions, break out HTTPS request formatting into a helper function,
handle the MS-KKDCP length bytes, update comments to mention specific
versions of the MS-KKDCP spec, differentiate TCP and HTTP trace
messages, trace unparseable responses]
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Switch to using per-transport-type functions when a socket that we're
using to communicate with a server becomes readable or writable, and add
them as pointers to the connection state. The functions are passed the
name of the realm of the server being contacted, as we expect to need
this in the near future.
[nalin@redhat.com: replace macros with typedefs]
[nalin@redhat.com: compare transports with TCP_OR_UDP rather than with 0]
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Handle encoding and decoding [MS-KKDCP] proxy messages, including
handling of the additional length bytes. Early versions of [MS-KKDCP]
incorrectly omit that the size of the proxied message is prepended to
the proxied message, as it is when we're using plain TCP, before
encoding the proxy-message structure. This is fixed at least as of
version 2.1 of the spec.
[nalin@redhat.com: add tests]
ticket: 7929
|
| |
|
|
|
|
|
|
|
| |
Add a --with-proxy-tls-impl option to configure, taking 'openssl',
'auto', or invocation as --without-proxy-tls-impl. Use related CFLAGS
when building lib/krb5/os, and LIBS when linking libkrb5. Call the
OpenSSL library startup functions during library initialization.
ticket: 7929
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In k5_sendto and k5_locate_server, replace "socktype" parameters with
a new enumerator k5_transport, so that we can add new transports which
are not in the socket type namespace. Control the order in which we
make connections of different types using a new k5_transport_strategy
enumerator, to simplify the logic for adding new transports later.
Control the result of k5_locate_server with a no_udp boolean rather
than a socket type.
[ghudson@mit.edu: renamed type to k5_transport; k5_locate_server
no_udp change; clarified commit message; fix for Solaris getaddrinfo]
[kaduk@mit.edu: name variables of type k5_transport 'transport']
[nalin@redhat.com: use transport rather than sock_type in more places,
add and use k5_transport_strategy, update the test program]
ticket: 7929
|
| |
|
|
|
|
| |
Add a new function k5_kdc_is_master in locate_kdc.c to determine
whether a KDC matches one of the masters, and use it in
krb5_sendto_kdc.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Get rid of the "x" member of conn_state, which used to be a union
but hasn't been since r14742.
* Define a structure type for the "out" member of conn_state.
* Rename incoming_krb5_message to incoming_message for brevity.
* Make the "pos" member of incoming_message an offset instead of a
pointer, simplifying several present and future computations.
* Use "in" and "out" aliases to the conn_state in and out members
where it improves brevity.
* Rename set_conn_state_msg_length to set_transport_message and give
it a descriptive comment.
* Call set_transport_message from start_connection only, instead of
once in add_connection and perhaps again in start_connection. To
make this possible, pass the original message argument to maybe_send
and start_connection.
* Use make_data and empty_data helpers where appropriate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bison 3 removed support for YYPARSE_PARAM and YYLEX_PARAM, breaking
x-deltat.y. Use %parse-param and %lex-param instead. (In Bison 3 we
could use just %param, but that doesn't work in 2.x.) The parameter
added by %parse-param is also passed to yyerror, so adjust the macro
we use to suppress yyerror accordingly.
Also use "%define api.pure" instead of "%pure_parser", which was
deprecated in bison 2.3b. (The correct spelling was actually
"%pure-parser", and bison 3 generates a warning about the underscore
spelling.)
Regenerate deltat.c using the new x-deltat.y and bison 3.0.2.
ticket: 7923
|
| |
|
|
|
|
|
| |
Commit 5f4a4d7d357fedac5feadc65c09ecf487ff98db8 removed the only
unconditional assignment of ret in get_time_offsets, causing the
function to return an uninitialized value if nothing goes wrong.
Initialize ret at declaration time to fix this.
|
| |
|
|
|
|
|
| |
t_marshal.c attempts to skip the version 1 and 2 tests on big-endian
platforms, but didn't do so correctly. Correctly start at version 3
on big-endian platforms, and change the way we do it to avoid
preprocessor conditionals inside a function body.
|
| |
|
|
|
|
|
| |
Replace the cc_keyring.c credential and principal marshalling
functions with calls to the ccmarshal.c functions. Simplify the
remaining parsing functions (for the index and time offsets) and fold
the resulting code into the calling functions where appropriate.
|
| |
|
|
|
|
|
|
|
|
|
| |
Replace the cc_file.c credential and principal marshalling and
unmarshalling functions with calls to the ccmarshal.c functions. For
unmarshalling, we still need code to read the appropriate amount of
data into a memory buffer. Because there is no outer length header
for principals and credentials, this code needs to understand the
credential and principal representations, but is much simpler than the
old code as it only needs to store the data it reads, not assemble a
data structure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename functions not to use the krb5_ prefix, and to use the fcc_ or
krcc_ prefixes only for ccache method implementations. Use shorter
function comments and add missing comments in some cases. Remove
forward declarations where they aren't needed. Use native types
(uint16_t, void *, etc.) in preference to Kerberos type wrappers. Use
"ret" as the variable name for krb5_error_code return values. Use 0
instead of KRB5_OK. Make whitespace conform to current practice.
Remove old #if 0 blocks. Don't cast to and from void * or between
integer types when C guarantees an implicit cast. Use literal 2 and 4
for the size of fixed-width 16-bit and 32-bit types.
In cc_file.c, rewrite the header comment to specify the header format
as updated by version 4 and refer to ccmarshal.c for the principal and
credential format. Also add a helper function to return the cache
version as an integer from 1 to 4, allowing more concise version
checks.
|
| |
|
|
|
|
|
| |
Add a new ccache test program t_marshal.c which verifies the new
marshalling functions and also the FILE ccache type against the
expected representations of the ccache header, default principal, and
credentials.
|
| |
|
|
|
|
|
| |
Add a new file ccmarshal.c containing functions to marshal and
unmarshal credentials in file formats version 1-4. These will replace
the functions in cc_file.c and cc_keyring.c, and can be used for KCM
in the future.
|
| |
|
|
|
|
|
|
| |
Adjust the internal abstractions so that decrypt_encpart is
responsible for the fallback from receiving subkey to session key, and
krb5_rd_cred is responsible for decoding and calling decrypt_encpart.
Rename krb5_rd_cred_basic to make_cred_list since it is now only
responsible for constructing the list.
|
| |
|
|
|
|
|
|
|
| |
If an error occurs in the for loop in krb5_rd_cred_basic (which should
only happen on an ENOMEM), do not leave the caller with a dangling
reference to the freed credential array.
ticket: 7908 (new)
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Revert #6291, which attempts to suppress duplicate credentials by
calling krb5_cc_remove in krb5_cc_store_cred. Most of our ccache
types don't implement remove_cred, and avoiding duplicate credentials
is a responsibility better suited to the ccache implementation for
atomicity reasons.
Removing this call gets rid of the misleading "Removing ... from ..."
messages in trace logs.
ticket: 7906 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
|
| |
|
|
|
| |
k5_change_error_message_code allows an extended error message to be
used when an error code is remapped.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry. Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions. In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.
ticket: 7901 (new)
|
| |
|
|
|
|
| |
Treat POLLHUP without POLLIN or POLLOUT as an exception in the poll
version of cm_get_ssflags, to correctly handle TCP connection errors
on OS X.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move get_curtime_ms and the cm functions near the top of the file
right after structure definitions. Except for cm_select_or_poll,
define each cm function separately for poll and for select, since the
implementations don't share much in common. Instead of
cm_unset_write, define cm_read and cm_write functions to put an fd in
read-only or write-only state. Remove the ssflags argument from
cm_add_fd and just expect the caller to make a subsequent call to
cm_read or cm_write. Always select for exceptions when using select.
(Polling for exceptions is implicit with poll).
With these changes, we no longer select/poll for reading on a TCP
connection until we are done writing to it. So in service_tcp_fd,
remove the check for unexpected read events.
|
| |
|
|
|
|
|
|
|
|
|
| |
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h. In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.
ticket: 7894 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_salttype_to_string, output the salt type name we would
recognize as input.
In the output of getprinc, display the enctype and salt type in a form
we would accept--either enctype:salttype if the salt type is not the
default, or just the enctype if it is.
Update t_mkey.py and t_salt.py to expect the new output format.
Update documentation examples to show the new format.
ticket: 5958
|
| |
|
|
|
|
|
|
|
|
|
| |
The definition of SAFE_GETUINT16 mistakenly uses "p" instead its ptr
parameter in three places, which happens to work because all current
invocations of the macro use "p" as the ptr argument. Fix it to
correctly use the ptr parameter.
[ghudson@mit.edu: commit message]
ticket: 6845
|
| |
|
|
|
|
|
|
| |
When parsing port numbers, we previously attempted to conditionalize use
of strtoul() on whether or not it was available, falling back to atoi()
instead, but we did so in a way that would always fall back to using
atoi(). We also call strtoul() from elsewhere without that condition,
so we don't gain anything by trying to be careful about it here.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't check the address of the kpasswd server when parsing the reply
we received from it. If the server's address was modified by a proxy
or other network element, the user will be incorrectly warned that the
password change failed when it succeeded. The check is unnecessary as
the kpasswd protocol is not subject to a reflection attack.
[ghudson@mit.edu: edit commit message]
ticket: 7886 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson@mit.edu: avoid stuffing too much logic in one conditional]
ticket: 7883 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, per-request preauth module data is only cleared when we
successfully obtain initial credentials. Make sure to clear it at the
end of the operation even if we failed to get creds.
[ghudson@mit.edu: expanded commit message]
ticket: 7793
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When copying most of the credentials from one cache to another in
copy_creds_except (called from get_vfy_cred, from
krb5_verify_init_creds), we need to free all of the credentials that
we read, not just the ones we copied.
[ghudson@mit.edu: edited commit message]
ticket: 7875 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we get an KRB5_KDC_UNREACH error back from k5_sendto, we check if
the err variable we passed for use by our message handler has been set
to KDC_ERR_SVC_UNAVAILABLE. If k5_sendto doesn't receive any
response, though, the handler isn't called, so we're reading an
uninitialized variable. Initialize it to a value other than
KDC_ERR_SVC_UNAVAILABLE to be sure.
[ghudson@mit.edu: initialize err just before calling k5_sendto; edit
commit message]
ticket: 7874 (new)
target_version: 1.12.2
tags: pullup
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.
Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting
faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.
ticket: 6034
|
