| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Get rid of the "x" member of conn_state, which used to be a union
but hasn't been since r14742.
* Define a structure type for the "out" member of conn_state.
* Rename incoming_krb5_message to incoming_message for brevity.
* Make the "pos" member of incoming_message an offset instead of a
pointer, simplifying several present and future computations.
* Use "in" and "out" aliases to the conn_state in and out members
where it improves brevity.
* Rename set_conn_state_msg_length to set_transport_message and give
it a descriptive comment.
* Call set_transport_message from start_connection only, instead of
once in add_connection and perhaps again in start_connection. To
make this possible, pass the original message argument to maybe_send
and start_connection.
* Use make_data and empty_data helpers where appropriate.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bison 3 removed support for YYPARSE_PARAM and YYLEX_PARAM, breaking
x-deltat.y. Use %parse-param and %lex-param instead. (In Bison 3 we
could use just %param, but that doesn't work in 2.x.) The parameter
added by %parse-param is also passed to yyerror, so adjust the macro
we use to suppress yyerror accordingly.
Also use "%define api.pure" instead of "%pure_parser", which was
deprecated in bison 2.3b. (The correct spelling was actually
"%pure-parser", and bison 3 generates a warning about the underscore
spelling.)
Regenerate deltat.c using the new x-deltat.y and bison 3.0.2.
ticket: 7923
|
| |
|
|
|
|
|
|
|
|
| |
Directly accessing the result field of Tcl_Interp has been deprecated
for a long time, requires a special define in Tcl 8.6, and will be
impossible in Tcl 9. Use Tcl_SetResult instead. The new error
messages are less helpful than the old ones, but this is just support
infrastructure for old tests, so it isn't important.
ticket: 7924
|
| |
|
|
|
|
|
| |
Commit 5f4a4d7d357fedac5feadc65c09ecf487ff98db8 removed the only
unconditional assignment of ret in get_time_offsets, causing the
function to return an uninitialized value if nothing goes wrong.
Initialize ret at declaration time to fix this.
|
| |
|
|
|
|
|
|
|
|
|
| |
The CK_TOKEN_INFO label field is defined to be zero-filled, but it may
not be zero-terminated if all bytes of the field are used. Use only
length-counted operations to process it. Also avoid underrunning the
buffer pointer if the label is empty or contains only whitespace.
ticket: 7917
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
| |
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
ticket: 7916
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GSSAPI functions are responsible for setting their output parameters
on failure. Take greater care to do so in krb5_gss_display_name.
The mechglue is generally defensive about initializing variables used
as outputs, and not assuming that mechs will set them on failure.
Make gssint_convert_name_to_union_name initialize
union_name->external_name before calling mech->gss_display_name, so
that if the mech's gss_display_name doesn't touch it, we don't free an
uninitialized pointer.
Either one of these changes prevents an unlikely memory bug which
could occur if krb5_gss_init_context fails within
krb5_gss_display_name when called from
gssint_convert_name_to_union_name.
ticket: 7915 (new)
target_version: 1.12.2
|
| |
|
|
|
|
| |
ticket: 7911
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d. Load only config files which have changed since the
highest mtime we saw in the previous scan. Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.
[ghudson@mit.edu: rewrote commit message; style changes; added
once-per-second throttle on glob/stat calls]
ticket: 7882 (new)
|
| |
|
|
|
|
|
|
| |
The stat check in gss_indicate_mechs had no consequent and would have
been redundant with logic in updateMechList if it did.
[ghudson@mit.edu: elaborated commit message; removed unused
g_mechSetTime and now-irrelevant comment]
|
| |
|
|
|
|
|
| |
Prior to ticket 7892 it would use the default host/ principal
when no principal was given on the command line.
ticket: 7892
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given. This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.
Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.
ticket: 7892
|
| |
|
|
|
|
|
|
|
|
|
|
| |
krb5int_c_combine_keys is used only by SAM-2 preauth with neither the
send-encrypted-sad nor use-sad-as-key flags, so it isn't covered by
any automated function tests. Add some unit tests to make sure that
it works and returns the expected results for two randomly generated
test vectors.
ticket: 7914
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When krb5int_c_combine_keys was updated to use the new crypto
interface, a small bug was introduced. It turns out the temporary
keyblock created needs to have its enctype set; otherwise, when
krb5int_derive_keyblock() is called later, it will fail with
KRB5_BAD_ENCTYPE.
ticket: 7914
target_version: 1.12.2
tags: pullup
|
| |
|
|
| |
The principal/principle confusion strikes again.
|
| |
|
|
|
|
|
| |
Matching Subject Alternative Name from certificate with
pkinit_kdc_hostname value from krb5.conf should disregard case.
ticket: 7913 (new)
|
| |
|
|
|
|
|
|
|
|
|
| |
If the OTP configuration for a principal contains invalid JSON, the
KDC OTP module calls k5_json_get_tid on a null pointer, causing the
KDC process to crash. Fix this bug by checking the return value of
k5_json_decode in decode_config_json.
ticket: 7912 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
| |
t_marshal.c attempts to skip the version 1 and 2 tests on big-endian
platforms, but didn't do so correctly. Correctly start at version 3
on big-endian platforms, and change the way we do it to avoid
preprocessor conditionals inside a function body.
|
| |
|
|
|
|
|
| |
Replace the cc_keyring.c credential and principal marshalling
functions with calls to the ccmarshal.c functions. Simplify the
remaining parsing functions (for the index and time offsets) and fold
the resulting code into the calling functions where appropriate.
|
| |
|
|
|
|
|
|
|
|
|
| |
Replace the cc_file.c credential and principal marshalling and
unmarshalling functions with calls to the ccmarshal.c functions. For
unmarshalling, we still need code to read the appropriate amount of
data into a memory buffer. Because there is no outer length header
for principals and credentials, this code needs to understand the
credential and principal representations, but is much simpler than the
old code as it only needs to store the data it reads, not assemble a
data structure.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rename functions not to use the krb5_ prefix, and to use the fcc_ or
krcc_ prefixes only for ccache method implementations. Use shorter
function comments and add missing comments in some cases. Remove
forward declarations where they aren't needed. Use native types
(uint16_t, void *, etc.) in preference to Kerberos type wrappers. Use
"ret" as the variable name for krb5_error_code return values. Use 0
instead of KRB5_OK. Make whitespace conform to current practice.
Remove old #if 0 blocks. Don't cast to and from void * or between
integer types when C guarantees an implicit cast. Use literal 2 and 4
for the size of fixed-width 16-bit and 32-bit types.
In cc_file.c, rewrite the header comment to specify the header format
as updated by version 4 and refer to ccmarshal.c for the principal and
credential format. Also add a helper function to return the cache
version as an integer from 1 to 4, allowing more concise version
checks.
|
| |
|
|
|
|
|
| |
Add a new ccache test program t_marshal.c which verifies the new
marshalling functions and also the FILE ccache type against the
expected representations of the ccache header, default principal, and
credentials.
|
| |
|
|
|
|
|
| |
Add a new file ccmarshal.c containing functions to marshal and
unmarshal credentials in file formats version 1-4. These will replace
the functions in cc_file.c and cc_keyring.c, and can be used for KCM
in the future.
|
| |
|
|
|
|
|
|
|
| |
Add a header containing a declaration for struct k5input and static
inline functions to use it. A k5input structure can be used to safely
extract bytes and integers from a fixed-sized input buffer without
overrunning the buffer. It supports deferred error checking (similar
to k5buf) by returning dummy values and storing a status value in the
input structure.
|
| |
|
|
|
| |
Add a new k5_buf method to make room in the buffer for the caller to
fill in.
|
| |
|
|
|
|
|
|
| |
Adjust the internal abstractions so that decrypt_encpart is
responsible for the fallback from receiving subkey to session key, and
krb5_rd_cred is responsible for decoding and calling decrypt_encpart.
Rename krb5_rd_cred_basic to make_cred_list since it is now only
responsible for constructing the list.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
During a SPNEGO negotiation, if the NTLMSSP mechanism is used and a
MIC is produced within the final initiator mechanism token, Microsoft
servers require a mechlistMIC even if NTLMSSP was the most preferred
mechanism.
In spnego_mech.c, add a helper function mech_requires_mechlistMIC
which queries the mechanism to determine whether we might need to
produce a mechlistMIC for interoperability. Call it after each call
to the mechanism's gss_init_sec_context and set sc->mic_reqd if it
returns true. Although only the second call to NTLMSSP will actually
ever return true, the first call makes the mechanism aware that the
SPNEGO implementation supports this feature.
[ghudson@mit.edu: clarified commit message and code]
ticket: 7907 (new)
|
| |
|
|
|
|
|
|
|
| |
If an error occurs in the for loop in krb5_rd_cred_basic (which should
only happen on an ENOMEM), do not leave the caller with a dangling
reference to the freed credential array.
ticket: 7908 (new)
target_version: 1.12.2
|
| |
|
|
|
|
|
| |
If the GSSAPI context has an unrecognized proto field (which should
never happen), free the context we allocated before returning EINVAL.
[ghudson@mit.edu: clarify commit message]
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Revert #6291, which attempts to suppress duplicate credentials by
calling krb5_cc_remove in krb5_cc_store_cred. Most of our ccache
types don't implement remove_cred, and avoiding duplicate credentials
is a responsibility better suited to the ccache implementation for
atomicity reasons.
Removing this call gets rid of the misleading "Removing ... from ..."
messages in trace logs.
ticket: 7906 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
|
| |
|
|
| |
Simplify acquire_accept_cred using the new helper function.
|
| |
|
|
|
| |
k5_change_error_message_code allows an extended error message to be
used when an error code is remapped.
|
| |
|
|
|
|
| |
We have used awk scripts in preference to the C version of compile_et
since 1994 (r4426). Get rid of the sources for the C version and all
of the Makefile.in references to them.
|
| |
|
|
|
|
|
|
|
| |
A lot of KDC code was spent copying options to flags, and copying
header_ticket flags to the output ticket.
Behavior change: previous code didn't copy PROXY from the
header_ticket, but this seems to have been a minor bug rather than
intentional. This also seems to have been an omission from RFC 4120.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead. Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.
[ghudson@mit.edu: rewrite commit message]
ticket: 7902 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Use a library initializer to prevent multiple threads using PKINIT
from concurently initializing OpenSSL functions. For cases where
MT-safety is not assured by registering OpenSSL locking callbacks,
this significantly lowers the odds of crashes caused by races in
OpenSSL initialization. (If OpenSSL initialization functions are
called by some other thread directly, crashes are still possible.)
[ghudson@mit.edu: simplify code changes and commit message]
ticket: 6413
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry. Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions. In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.
ticket: 7901 (new)
|
| |
|
|
|
|
| |
Treat POLLHUP without POLLIN or POLLOUT as an exception in the poll
version of cm_get_ssflags, to correctly handle TCP connection errors
on OS X.
|
| |
|
|
|
|
|
|
|
|
|
| |
Since f72c3ffa the policy is initialized as part of database.
adb_policy_close is now a no-op, and adb_policy_init just makes sure
the database is initialized. adb_policy_init is only called from
kadm5_flush, and only if database initialization was successful
beforehand, rendering this call redundant.
Remove adb_policy_init and adb_policy_close and all their references
in the code and documentation.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice. With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.
[ghudson@mit.edu: rewrote commit message]
ticket: 7897 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Move get_curtime_ms and the cm functions near the top of the file
right after structure definitions. Except for cm_select_or_poll,
define each cm function separately for poll and for select, since the
implementations don't share much in common. Instead of
cm_unset_write, define cm_read and cm_write functions to put an fd in
read-only or write-only state. Remove the ssflags argument from
cm_add_fd and just expect the caller to make a subsequent call to
cm_read or cm_write. Always select for exceptions when using select.
(Polling for exceptions is implicit with poll).
With these changes, we no longer select/poll for reading on a TCP
connection until we are done writing to it. So in service_tcp_fd,
remove the check for unexpected read events.
|
| |
|
|
|
|
|
|
|
|
|
| |
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h. In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.
ticket: 7894 (new)
target_version: 1.12.2
tags: pullup
|
| |
|
|
|
|
|
|
|
| |
The Solaris native compiler (as of version 5.9) outputs code for
static inline functions even if they are not used. So the
k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a
dependency on libkrb5support.
ticket: 7872
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the end of setup_gss(), gss_client_creds is released, but an alias
to the credential handle is saved in kadm5_server_handle_t in
handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred.
Accessing these credentials (by authgss_refresh) can result in use
after free.
This fix stores credential reference in server handle and releases
the credentials in kadm5_destroy.
[ghudson@mit.edu: initialize handle->cred to correct constant; get rid
of gss_client_creds variable; clarify commit message slightly]
ticket: 7891 (new)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In krb5_salttype_to_string, output the salt type name we would
recognize as input.
In the output of getprinc, display the enctype and salt type in a form
we would accept--either enctype:salttype if the salt type is not the
default, or just the enctype if it is.
Update t_mkey.py and t_salt.py to expect the new output format.
Update documentation examples to show the new format.
ticket: 5958
|
| |
|
|
|
|
|
| |
Use alloc_data() and empty_data() where appropriate. Keep mainline
logic to the left where possible. Name the output parameter of
krb5int_des_init_state with an _out suffix. Use a professional tone
in comments. Partly based on a patch from Alok Menghrajani.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Stop adding OIDs to the global OpenSSL table. It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL. Instead, use anonymous OIDs
created with OBJ_txt2oid. Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
| |
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data. This shadowing is very
unfriendly to other uses of OpenSSL and we should stop. Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.
ticket: 7889
|
| |
|
|
|
|
|
|
|
|
|
| |
The definition of SAFE_GETUINT16 mistakenly uses "p" instead its ptr
parameter in three places, which happens to work because all current
invocations of the macro use "p" as the ptr argument. Fix it to
correctly use the ptr parameter.
[ghudson@mit.edu: commit message]
ticket: 6845
|
