| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
| |
When parsing port numbers, we previously attempted to conditionalize use
of strtoul() on whether or not it was available, falling back to atoi()
instead, but we did so in a way that would always fall back to using
atoi(). We also call strtoul() from elsewhere without that condition,
so we don't gain anything by trying to be careful about it here.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Don't check the address of the kpasswd server when parsing the reply
we received from it. If the server's address was modified by a proxy
or other network element, the user will be incorrectly warned that the
password change failed when it succeeded. The check is unnecessary as
the kpasswd protocol is not subject to a reflection attack.
[ghudson@mit.edu: edit commit message]
ticket: 7886 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
Some applications write a profile file and then immediately use it via
a krb5_context. If we have a cached copy of the profile we wrote,
make sure to update it by forcing a stat when we reuse an existing
prf_data_t object.
[ghudson@mit.edu: commit message]
ticket: 7884
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson@mit.edu: avoid stuffing too much logic in one conditional]
ticket: 7883 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After searching for a cross-realm TGS entry to provide to a client as a
referral, if we're all set to return a success code but aren't actually
returning an entry, we should be returning an error. We might not do so
because we don't compare the right value against NULL.
This corrects an error in a redundant check in the patch for
CVE-2013-1417. The error in the check cannot occur in practice
because the other part of the patch for CVE-2013-1417 prevents it, but
static analyzers can flag the erroneous check.
[tlyu@mit.edu: edit commit message]
ticket: 7881 (new)
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory. Keep everything we temporarily allocate
in separate local variables and free them through those variables.
In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878. Free the checksum since pkinit_as_req_create no
longer takes ownership it. Remove a broken overly defensive check
after calling pkinit_as_req_create.
Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
ticket: 7878 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Replace util_ordering.c with a new file util_seqstate.c, implemented
using a bitmap of previously received sequence numbers instead of a
20-element circular queue. This approach has slightly different
limitations--it can check for replays for values within 64 of the
expected next number, where the old code could check within the range
of the last 20 received numbers regardless of how far apart they are.
The new approach should work as well or better for any realistic
packet reordering scenario.
ticket: 7879 (new)
|
| |
|
|
|
|
|
|
|
|
| |
Use an opaque structure type instead of a void pointer for the
sequence number state. Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue. Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free. Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
|
| |
|
|
| |
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order. Properly
detect when a sequence number fits between the dummy element and the
first real queue element.
[ghudson@mit.edu: rewrote commit message]
ticket: 7872
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Currently, per-request preauth module data is only cleared when we
successfully obtain initial credentials. Make sure to clear it at the
end of the operation even if we failed to get creds.
[ghudson@mit.edu: expanded commit message]
ticket: 7793
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When copying most of the credentials from one cache to another in
copy_creds_except (called from get_vfy_cred, from
krb5_verify_init_creds), we need to free all of the credentials that
we read, not just the ones we copied.
[ghudson@mit.edu: edited commit message]
ticket: 7875 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When we get an KRB5_KDC_UNREACH error back from k5_sendto, we check if
the err variable we passed for use by our message handler has been set
to KDC_ERR_SVC_UNAVAILABLE. If k5_sendto doesn't receive any
response, though, the handler isn't called, so we're reading an
uninitialized variable. Initialize it to a value other than
KDC_ERR_SVC_UNAVAILABLE to be sure.
[ghudson@mit.edu: initialize err just before calling k5_sendto; edit
commit message]
ticket: 7874 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Don't delete gssapi_krb5.h now that it is not generated.
[ghudson@mit.edu: also remove from generate-files-mac rule and from
.gitignore]
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.
Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting
faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.
ticket: 6034
|
| |
|
|
| |
ticket: 7868
|
| |
|
|
|
|
|
|
|
|
|
| |
If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.
ticket: 7868
|
| |
|
|
|
|
| |
ticket: 7866
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The LDAP debug level option (#7551) causes a build failure with the
Solaris LDAP library, which does not have LDAP_OPT_DEBUG_LEVEL.
ticket: 7870 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
| |
Revert r16428 now that gssapi_krb5.h is in the source tree.
|
| |
|
|
|
|
|
|
| |
Since we no longer prefix an "#include <stdint.h>" in the gssapi.h
preamble at build time, include it in gssapi.hin.
Update util/gss/kernel-lib/Makefile.in to account for gssapi_krb5.h
being in the source tree.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Revert #7384, as there are no longer policy refcounts. For iprop
dumps we want to make sure that the reported serial number matches the
DB state (although we could perhaps relax that requirement with enough
analysis), but for non-iprop dumps we don't need any transactional
guarantees.
Also use the correct constant name for the locking mode (the numeric
value is the same, fortunately), and only unlock the database if we
successfully locked it.
ticket: 7869 (new)
|
| |
|
|
|
| |
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
|
| |
|
|
|
|
|
| |
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts. Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
|
| |
|
|
|
| |
Remove uitypes.h and just include stdint.h; all we need from it is
uint{8,16,32}_t.
|
| |
|
|
|
|
|
| |
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Augment kpropd's debugging output so we can see the starting and
ending serial numbers of a sync, and check them in t_iprop.py's
wait_for_prop to make sure we're observing the correct sync each time.
Try to make sure we only send SIGUSR1 when kpropd is actually
sleeping, by waiting for it to print its pre-sleep message to stderr
after a full dump and after each sync. This isn't perfect, as there
is a short window between printing to stderr and actually sleeping,
but we can't do any better until kpropd has a more reliable mechanism
for triggering immediate updates.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
ticket: 3277
tags: pullup
target_version: 1.12.2
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Check the ulog more thoroughly after each operation, including the
principal names we expect in each update entry. Verify that the slave
ulog contains actual update entries received from master. Add a
second slave which receives updates from the first. Test a wider
variety of principal operations. Add two additional operations after
the full resync to test that incremental updates resume after a full
resync (albeit with some lag).
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
| |
The -A option causes kpropd to contact a specified admin server
(normally an intermediate slave running kadmind -proponly) instead of
the master admin server.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
| |
The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Factor out most of ulog_add_update into a helper function named
store_update, and make ulog_add_update just responsible for assigning
a serial number and timestamp to the update before storing it. In
ulog_replay, use store_update and ulog_finish_update to add each
update to the ulog in addition to replaying it to the database. Don't
use incr_ret->lastentry to set kdb_last_sno/kdb_last_time, since it
will have been set properly by adding the individual updates; instead,
just reinitialize the ulog on error.
Slave ulogs use serial numbers provided from upstream, and thus do not
always begin at serial number 1 after a header reset. As a result, we
must: (A) in store_update, detect the first update (for which we must
assign kdb_first_sno/kdb_first_time) by comparing kdb_num to 0,
instead of by comparing the serial number to 1; (B) in store_update,
detect that we are overwriting the first update by comparing kdb_num
to ulogentries, instead of comparing the serial number to ulogentries;
and (C) in ulog_map, detect that ulogentries changed by verifying the
first and last serial number and timestamp against the actual ulog
entries, rather than simply comparing kdb_last_sno to kdb_num.
Based on code submitted by Richard Basch.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Get rid of the caller parameter. The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog. With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.
Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.
Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis. If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file. Remove an unneeded conditional before
calling extend_file_to for an existing ulog.
ticket: 7855
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Always lock the ulog when accessing it. We can currently get away
with some laxness on iprop slaves because they are mostly synchronous,
but hierarchical iprop will allow master and slave operations to take
place concurrently, requiring more strict locking.
Add new functions ulog_get_last and ulog_set_last, which access the
ulog header with locking, and use them in kdb5_util and kpropd. Add
locking to ulog_replay and ulog_init_header.
ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c
after these changes, so make them static functions and remove the
ulog_ prefix. Add an unlock_ulog function for clarity.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
ticket: 7861
|
| |
|
|
|
|
|
|
|
|
| |
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
ticket: 7860
|
| |
|
|
|
|
|
|
|
| |
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
ticket: 7860
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Generally we want KDC status strings to be concise, informative and follow
some common rules:
- All letters in the status string should be capitalized;
- the words in the status phrase are separated by underscore;
- abbreviations should be avoided. Some acceptable "standard" acronyms
are AS_REQ, TGS_REP etc.
- since in almost all cases KDC status is set on error, no need
to state this fact as part of the status string;
- KDC status string should be an imperative phrase.
For example, "DECRYPT_SERVER_KEY".
This commit is to modify some KDC status messages to follow this format.
Even though KDC status messages are not standardized, it is possible that some
administrators use them in the Kerberos log file processing. Hence, the vast
majority of them are left unchanged pending further investigation (mostly,
feedback from the administrators).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests. Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.
[tlyu@mit.edu: style, comments, and commit message]
ticket: 7856 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
| |
When t_stringattr.c was introduced, it wasn't added to EXTRADEPSRCS,
so no dependencies were created for it. Fix that now.
|
| |
|
|
|
|
|
|
|
| |
The system dictionary may contain entries with punctuation, which can
confuse the shell. It's more predictable to always use the word list
from the source tree.
ticket: 7860
status: open
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.
ticket: 7862
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
Call krb5_get_default_realm instead of directly accessing
context->default_realm, to remove the requirement that
krb5_get_default_realm or krb5_set_default_realm be used before
krb5_db_open.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In t_spnego.c, add code to make a SPNEGO request with the erroneous
Microsoft OID value and examine the response to make sure that it uses
the same OID value as the request did. The token and tmp variables
were unused, so rename them to itok and atok for the purpose of the
new test code.
ticket: 7858
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context. The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.
ticket: 7858
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
| |
ulog_get_entries does not access the KDB, only the ulog, so it does
not need a KDB lock; its read lock on the ulog is sufficient to
prevent logged updates from happening while it is running. There is
no reason to serialize against unlogged KDB updates such as those
performed by the KDC, as those do not affect the ulog.
|
