| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Supply a callack to PEM_read_bio_PrivateKey() using the prompter to
request a password for encrypted PEM data. Otherwise OpenSSL will use
the controlling terminal.
[ghudson@mit.edu: minor style cleanup, commit message]
ticket: 7590
|
| | |
|
| |
|
|
|
|
|
|
| |
If db_args is non-null but empty, status could be returned without
being initialized; gcc with optimization correctly warns about this,
causing a build failure. (This bug was introduced by
0b1dc2f93da4c860dd27f1ac997617b712dff383 which was pushed after the
1.11 release branch, so it isn't in any release.)
|
| |
|
|
|
| |
This unnecessary include was causing build failures on some systems by
making libkrb5 sources depend on gssapi.h.
|
| |
|
|
|
|
|
|
| |
Create a test module, program, and script to exercise the
krb5_aname_to_localname and krb5_k5userok functions as well as the
localauth pluggable interface.
ticket: 7583
|
| |
|
|
| |
ticket: 7585
|
| |
|
|
| |
Remove variables and labels which are no longer needed.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:P/RL:O/RC:C
This is a minimal commit for pullup; style fixes in a followup.
[kaduk@mit.edu: reformat and edit commit message]
ticket: 7570 (new)
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
| |
Rename the krb5int_buf_ family of functions to use the k5_ prefix for
brevity. Reformat some k5buf implementation code to match current
practices.
|
| |
|
|
|
|
| |
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
|
| |
|
|
|
|
| |
Make dec_password a static function in ldap_service_stash.c and remove
some impedance mismatch with krb5_ldap_readpassword() by making it
operate on C strings and return a krb5_error_code.
|
| |
|
|
|
|
|
|
| |
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
|
| |
|
|
|
|
| |
Use the oerr parameter to fetch the existing message. Stop handling
oerr == 0, since no call sites were using it. Free the old error
message before returning.
|
| |
|
|
|
|
|
| |
Add a DB option in the LDAP KDB module to turn on debugging messages.
Adapted from a patch by Zoran Pericic <zpericic@inet.hr>.
ticket: 7551 (new)
|
| |
|
|
|
|
|
|
|
|
| |
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
|
| |
|
|
|
| |
Mostly this gets rid of the trailing space on line 2 after
bb76891f5386526bdf91bc790c614fc9296cb5fa.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
ticket: 7385
|
| |
|
|
|
|
|
|
|
|
|
| |
populate_krb5_db_entry() performs a subsidiary LDAP search to load the
password policy, which it uses to update the pw_expiration field.
This has some minimal value (it causes pw_expiration values in
principals to auto-update whenever the pw_max_life field of a policy
changes), but it's complicated, expensive, and inconsistent with the
DB2 back end. Get rid of it.
ticket: 7535 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Correct three cases where the wrong expression was checked to see if
an allocation function returned null.
[ghudson@mit.edu: commit message, patch splitting]
ticket: 7534
target_version: 1.11.1
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
An error case in __bt_first would deference a null pointer. This is
an old upstream BDB bug. Use a separate variable to hold the result
of mpool_get() until it has been checked. Reported by Nickolai
Zeldovich <nickolai@csail.mit.edu>.
ticket: 7511
|
| |
|
|
|
|
| |
Nothing was using KRB5_KDB_SRV_TYPE_PASSWD, so get rid of it.
(kpasswdd is part of kadmind and interacts with the KDB using
KRB5_KDB_SRV_TYPE_ADMIN.)
|
| | |
|
| |
|
|
|
|
| |
ldap_realm.c had some code intended to handle a
krbTicketPolicyReference from a krbRealmContainer object, but there
wasn't enough of it to ever do anything. Remove it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Outside of krb5_ldap_read_krbcontainer_params and
krb5_ldap_create_krbcontainer, no fields of
krb5_ldap_krbcontainer_params were used except for the DN. There was
code to create a krbTicketPolicyReference attribute (which would fail
because the schema doesn't allow that attribute, and was never
exercised because kdb5_ldap_util would never set the parameter) and to
read fields like max ticket life from the referenced ticket policy,
but those fields were never used.
Eliminate the structure and just store the container DN in
krb5_ldap_context. Continue creating the container object when
creating a realm (by calling krb5_ldap_create_krbcontainer
unconditionally; it now exits successfully if the container already
exists), but don't ever read it.
|
| |
|
|
|
|
| |
krb5_ldap_put_principal contained some conditionals for the case where
entry->princ is NULL, but only after entry->princ was dereferenced
unconditionally. It's not necessary to handle this case, so don't.
|
| | |
|
| |
|
|
|
|
|
| |
Since there is no overlap between the clpreauth and kdcpreauth
interface declarations, there's no particular reason to combine them
into one header. For backward compatibility and convenience, leave
behind a preauth_plugin.h which includes both.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't check for an agility KDF identifier in the non-draft9 reply
structure when we're building a draft9 reply, because it'll be NULL.
The KDC plugin for PKINIT can dereference a null pointer when handling
a draft9 request, leading to a crash of the KDC process. An attacker
would need to have a valid PKINIT certificate, or an unauthenticated
attacker could execute the attack if anonymous PKINIT is enabled.
CVSSv2 vector: AV:N/AC:M/Au:N/C:N/I:N/A:P/E:P/RL:O/RC:C
[tlyu@mit.edu: reformat comment and edit log message]
ticket: 7506 (new)
target_version: 1.11
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In kdc_util.c and spnego_mech.c, error returns from ASN.1 length
functions could be ignored because they were assigned to unsigned
values. In spnego_mech.c, two buffer size checks could be rewritten
to reduce the likelihood of pointer overflow. In dump.c and
kdc_preauth.c, calloc() could be used to simplify the code and avoid
multiplication overflow. In pkinit_clnt.c, the wrong value was
checked for a null result from malloc(), and the code could be
simplified.
Reported by Nickolai Zeldovich <nickolai@csail.mit.edu>.
ticket: 7488
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Modify ldap_filter_correct() to quote special characters for DN
strings as well as filters, since it is already used to quote a DN
string in krb5_ldap_name_to_policydn() and there's no harm in
over-quoting. In krb5_ldap_put_principal(), quote the unparsed
principal name for use in DNs we choose. In
krb5_ldap_create_password_policy(), use the policy name for the CN of
the policy entry instead of the (possibly quoted) first element of the
DN.
Adapted from a patch by Jim Shi <hanmao_shi@apple.com>.
ticket: 7296
|
| |
|
|
|
| |
PA_PSEUDO only has meaning for kdcpreauth modules. Don't use it in
the flags method of the pkinit clpreauth module.
|
| | |
|
| |
|
|
|
|
|
|
| |
* Keep track of the names of client identities when we load them.
* Store the client identity we just used when we create or retry a
client request.
* If we read a client identity from the configuration, treat it like the
KDC does: pick the "this is it, there is no other" logic branch.
|
| |
|
|
|
|
| |
The old man pages are gone, so we can't install them anymore.
Also clean up install and install-unix targets that were installing
the old man pages by hand.
|
| |
|
|
|
|
|
| |
In the db2 kdb module, use blocking locks for the policy DB as well as
the principal DB.
ticket: 7359
|
| |
|
|
|
|
|
| |
We generate man pages from RST sources now; they are checked into
the tree in src/man/.
The gen-manpages directory is no longer needed.
|
| |
|
|
|
| |
Update to generate and consume signed-data with no signer-info, which we
need for anonymous PKINIT.
|
| |
|
|
|
| |
Create an NSS context for use when performing KDF, so that the tests,
which call into the function directly, will work.
|
| | |
|
| |
|
|
|
| |
Print a debug message if we're unable to locate the matching private key
for a certificate when we've just loaded both of them from PEM files.
|
| |
|
|
|
| |
Reset the prompt_types list immediately after the prompter callback
returns, as is done everywhere else.
|
| |
|
|
|
| |
This function wasn't used anywhere. Also remove the declaration for
osa_adb_close_policy(), which doesn't exist.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
Additionally, we don't really need or want to use non-blocking locks,
and we certainly don't want to sleep(1) in krb5kdc (possibly several
times, as there was a loop over this) when either of the principal or
policy DB is locked. Some callers still request non-blocking locks,
and ctx_lock() still honors this.
ticket: 7360 (new)
|
| |
|
|
|
|
|
|
|
|
| |
We don't really need or want to use non-blocking locks, and we certainly
don't want to sleep(1) in krb5kdc (possibly several times, as there was
a loop over this) when either of the principal or policy DB is locked.
Some callers still request non-blocking locks, and ctx_lock() still
honors this.
ticket: 7359 (new)
|
| | |
|
| |
|
|
| |
ticket: 7223
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This simply adds KADM5_API_VERSION_4 and various fields to the
policy structures:
- attributes (policy-ish principal attributes)
- max_life (max ticket life)
- max_renewable_life (max ticket renewable life)
- allowed_keysalts (allowed key/salt types)
- TL data (future policy extensions)
Of these only allowed_keysalts is currently implemented.
Some refactoring of TL data handling is also done.
ticket: 7223 (new)
|
| | |
|
| |
|
|
|
|
| |
Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.
|
