Ben Kaduk [Wed, 3 Oct 2012 20:44:28 +0000 (16:44 -0400)]
Remove unused texinfo sources
Now that the install guide make rules are removed, nothing references
build.texinfo or install.texinfo any more (other than the tgz target,
which is updated accordingly).
Ben Kaduk [Wed, 3 Oct 2012 20:16:26 +0000 (16:16 -0400)]
Disconnect texinfo install guide from the build
Its content has been migrated to or superseded by the RST documentation,
split amongst krb_build and various sections of krb_admins.
A few portions of the texinfo document are simply no longer relevant
and do not need to be migrated. In particular:
It's 2012; we don't need to specify that we require a C89 compiler.
It's 2012; it will be easy to get enough disk to build krb5.
The KADM5 tests are part of 'make check' and don't need separate
documentation.
Shared library support is not limited to "a few operating systems".
We do not need to document incompatibilities with ancient/dead OSes.
kadmind4 and v5passwdd are no longer relevant.
Ben Kaduk [Wed, 3 Oct 2012 19:56:46 +0000 (15:56 -0400)]
Add section on updating from single-DES
There are, unfortunately, still some single-DES deployments out
there. Try to help them along by documenting a procedure for
migrating to stronger crypto.
The texinfo install guide had a section on "upgrading", but it was
not really suitable for direct import into a RST document. For one,
it gave a high profile to the on-disk incompatibilities in upgrades
to 1.1 and 1.2. It also was driven at upgrading *to* triple-des (or RC4),
which are something of a dead-end. This new text attempts to be more
general and applicable to today's environment.
Ben Kaduk [Wed, 3 Oct 2012 16:29:20 +0000 (12:29 -0400)]
Add a kdb5_util examples for old KDC upgrades
It's a slightly less-contrived use case of the utility than the
other example, which reads more like a usage statement.
Give a motivating sentence before each example, and note that this
new example is not needed in the general upgrade case.
The need to dump/load for upgrades prior to 1.2 was documented in
the texinfo install guide, but not in any RST sources until now.
Greg Hudson [Tue, 9 Oct 2012 18:27:04 +0000 (14:27 -0400)]
De-conditionalize Camellia code
The Camellia enctypes and cksumtypes have received IANA assignments.
Add #defines using those assignments to krb5.h, remove the CAMELLIA
conditional, and enable testing code as appropriate.
The Camellia draft has not received an RFC number yet, so there is no
Doxygen markup for the enctype and cksumtype #defines. That can be
added once the RFC number is known.
Greg Hudson [Mon, 8 Oct 2012 16:18:35 +0000 (12:18 -0400)]
Remove iprop dejagnu test
Both the Python and dejagnu iprop tests are slow since they use sleeps
to give kpropd time to do its work (although we can fix this with some
work). Since the Python tests cover the same ground as the dejagnu
tests, we don't need both.
Nicolas Williams [Mon, 24 Sep 2012 23:04:50 +0000 (18:04 -0500)]
Remove an old, incorrect comment in kpropd.c
We absolutely do not want a parking brake on the kprop protocol as
described in the comment being removed. Instead the kprop command
should be fixed so it doesn't die on error (assuming it even still does
or ever did, neither of which I've checked).
If a kdb5_util load gets killed between rename()ing the new KDB file
into place and resetting the iprop ulog then the ulog can reflect the
pre-load state, which will almost certainly be incorrect.
This matters because we want to impose a timeout on full resyncs in
kpropd when iprop dictates that a full resync is needed, and the
simplest timeout scheme involves signaling the kdb5_util load process.
But also, we want no such races in general.
The fix is simple: re-initialize the ulog before renaming the new KDB
file into place, then proceed as usual. If the ulog is not properly
updated at the end of the load it will at least always result in
subsequent iprop get updates operations always indicating that a full
resync is required.
Nicolas Williams [Thu, 20 Sep 2012 19:37:45 +0000 (15:37 -0400)]
Make kadmind iprop never return UPDATE_BUSY
Currently kadmind allows slaves to poll for updates as often as they
like, but not within 10s of the last update. This means that iprop will
appear to fail to synchronize the KDC at any site whose master KDC
processes at least one write transaction every 10 seconds consistently.
The original intention must have been to throttle iprop clients (slave
KDCs) that poll too often. But UPDATE_BUSY as implemented is not that,
and implementing a throttle would be difficult (requires keeping state
in a table) and mostly useless (admins can manage their poll timers just
fine without a throttle in kadmind).
Nicolas Williams [Mon, 24 Sep 2012 22:48:48 +0000 (17:48 -0500)]
Remove MAX_ULOGENTRIES
If a master KDC uses only a 64-bit libkadm5srv then there is no reason
to impose any limit on ulog size: the practical maximum will be given by
the filesystem and available storage space.
Even when using a 32-bit libkadm5srv the maximum practical ulog size
will be found easily enough when mmap() fails.
Nicolas Williams [Fri, 17 Aug 2012 23:19:31 +0000 (18:19 -0500)]
Use a single global dump for iprop full syncs
Use a global dump (the default dump file) for full syncs for iprop.
When a slave asks for a fullsync we kprop the existing global dump to it
if that is good enough, else we dump the DB and send the new global
dump.
Before this change kadmind would run kdb5_util dump -i... each time a
slave asked for a full dump. This was done in a sub-process,
thankfully, but it was still a waste of time and storage (e.g., if one
has a huge KDB).
Also, long dump times might cause a slave to give up (the timeout for
this is now configurable). But since iprop dumps bear a serial number
and timestamp and since slaves will resync from that point forward, it
doesn't matter if the dump we send a slave is fresh as long as it is
fresh enough (i.e., that its sno and timestamp are in the ulog).
Also:
- Rename dumps into place instead of unlink, create, write (but we
still keep the dump ok files as lock files and as a method of
signaling to kprop that the dump is complete).
Nicolas Williams [Tue, 25 Sep 2012 02:09:17 +0000 (21:09 -0500)]
Improve kpropd behavior in iprop mode
- Make kpropd in iprop mode fork a child to listen for kprops from the
master. The child writes progress and outcome reports to the parent
for each kprop. This fixes a race between asking for a full resync
and setting up a listener socket for it.
- Add runonce (-t) for kpropd do_standalone() too.
- Add a new iprop parameter: iprop_resync_timeout. kpropd will keep
asking for incremental updates while waiting for a full resync to
finish, and will re-request a full resync if kadmind continues to
indicate that one is needed after this timeout passes since the
previous full resync was requested.
- Allow polling intervals less than 10 seconds.
[ghudson@mit.edu: split out debug output changes; note polling interval
change in commit message]
util/cstyle-file.py checks a file for C style issues and displays
line-by-line output. It is not terribly sophisticated, and can
probably be improved upon (e.g. by doing an emacs batch-reindent of
the file and checking for differences in indentation).
util/cstyle.py produces diffs using git, runs the file checker on each
modified C source file in each diff, and displays the output lines
attribute to the diff.
Luke Howard [Sat, 1 Sep 2012 01:08:27 +0000 (11:08 +1000)]
GENC should always export composite names
RFC 6680 requires that gss_export_name_composite begin the output
token with 04 02. So we must produce a composite token even if the
name has no authdata, and be able to consume a composite token with no
authdata attributes.
Simo Sorce [Tue, 28 Aug 2012 14:47:23 +0000 (16:47 +0200)]
Add SPI calls to import objects by mech oid
An interposer mech needs to be able to handle multiple mechanisms.
When importing a mech token for a name, cred, or context, the
interposer mech needs to know the mech type of the token being
imported. To make this work, add SPI calls which accept a mech type
argument.
Simo Sorce [Tue, 5 Jun 2012 12:09:15 +0000 (08:09 -0400)]
Use interposer mechanisms in mechglue functions
Wherever a GSSAPI mechglue function accepts a mech OID from the
caller, use gssint_select_mech_type() to choose the mechanism to use.
Wherever a mechglue function outputs a mech OID to the caller, use
gssint_get_public_oid() or gssint_make_public_oid_set() to expose the
public mech OID.
Simo Sorce [Mon, 11 Jun 2012 15:50:26 +0000 (11:50 -0400)]
Add primitives for using interposed mechanisms
Add gssint_select_mechanism() to determine what mechanism to use for a
caller-specified OID, gssint_get_public_oid() to determine what
mechanism to expose to the caller, and gssint_make_public_oid_set to
translate an array of mech OIDs into a set of public OIDs. In
gssint_get_mechanism(), match interposed OIDs as well as real ones.
Simo Sorce [Tue, 18 Sep 2012 02:00:44 +0000 (22:00 -0400)]
Add support for loading interposer modules
Extend the syntax of the gss mech config file to allow a module type
delimited by triangle brackets. If the module type is "interposer",
flag the mechanism entry as being an interposer mechanism. A module
marked as an interposer is loaded immediately (so it can interpose a
built-in mechanism) and produces a list of OIDs to interpose.
Interposer mechanisms are not exposed to applications.
Tom Yu [Thu, 27 Sep 2012 21:18:18 +0000 (17:18 -0400)]
Cache TGS-REPs too
Changes in r25660 inadvertently failed to insert TGS-REPs into the
lookaside cache. Call finish_dispatch_cache() at the end of
dispatch() to handle this case.
Ben Kaduk [Fri, 21 Sep 2012 17:01:06 +0000 (13:01 -0400)]
Remove kerbsrc.win
It has been unloved and broken repeatedly for many years, requiring
updating of several variables whenever new directories are added
and similar tedia. It was originally intended to avoid the need
for Unix utilities on Windows, but Microsoft provides the Utilities
and SDK for UNIX-based Applications which is enough rope to do a
native build.
Leave behind a warning message to anyone who does try to build the
target.
Clean up some now-unused infrastructure in the build system.
Ben Kaduk [Fri, 21 Sep 2012 15:13:32 +0000 (11:13 -0400)]
Remove kerbsrc-nt
NT is long-gone; we don't need to keep a special-case error message
around telling people not to use it.
Clean out the unneeded code from the Makefile.in
Ben Kaduk [Thu, 20 Sep 2012 22:03:54 +0000 (18:03 -0400)]
Remove kerbsrc83
It's been a long time since systems were limited to 8.3 format
for file names. No one should be thinking to try and build this
target, and if they do, we don't need a custom error message anymore.
Clean out the unneeded code from the Makefile.in.
Ben Kaduk [Thu, 20 Sep 2012 18:03:20 +0000 (14:03 -0400)]
Do not add empty dir to the include search list
windows/leashdll/include contains only a krb4 directory.
We have a dubious need for the latter through AFSroutines.c,
but the former can be eliminated.
Ben Kaduk [Wed, 19 Sep 2012 16:13:30 +0000 (12:13 -0400)]
Update windows/README
The build instructions have changed somewhat, as have the requirements
for a build environment.
The default behavior for KRB5_CONFIG and KRB5CCNAME has also changed.
Attempt to remove mention of overly specific Windows versions that
are now quite old when the behavior persists in newer versions of Windows.
Document the usage of DNS by default and the reduced need for a large
krb5.ini file.
Talk a little more about the LSA cache.
Unlike most GSS test programs, t_s4u2proxy_krb5 uses a cleanup
handler, so we have to be careful to initialize everything we clean
up--particularly service2_name, which is initialized after a possible
goto. Also, remember to release acceptor_name.
krb5_rc_recover_or_initialize is not a public function, but is now
used by the krb5 mechanism when importing a credential. Mark it as
PRIVATE GSSAPI in the export list.
It might have been safe to access the krb5 verifier cred without a
lock before constrained delegation, but it is less likely to be safe
now that we might access both the initiator and acceptor parts of the
cred. Hold a lock on the cred for the full accept_sec_context
operation.
If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)
Ben Kaduk [Tue, 18 Sep 2012 21:53:18 +0000 (17:53 -0400)]
Remove NSIS installs when upgrading to 64-bit
The NSIS installer appears to have only ever existed as a 32-bit
software. As such, unconditionally check the 32-bit registry tree
for an uninstall string; the architecture of the current package
being installed is not relevant to what was previously installed.
Get rid of gssint_get_mechanisms, gssint_mech_to_oid, and
gssint_oid_to_mech, which constructed a list of mechanism names and
mapped between mech names and OIDs. These functions were only used by
gss_inquire_mechs_for_name, which now uses gss_indicate_mechs instead.
Use gss_indicate_mechs instead of gssint_get_mechanisms and
gssint_mech_to_oid to iterate over the list of mechanism OIDs. Use a
static helper to determine whether a mech supports a name type,
avoiding most of the work done in the for loop. Use a cleanup
handler. Don't leave partial results in the output parameter on
error.
Simo Sorce [Tue, 14 Aug 2012 13:14:15 +0000 (15:14 +0200)]
Avoid leaks on gss_accept_sec_context errors
Failure handling during the postprocessing of
mech->gss_accept_sec_context was inconsistent. In one case we delete
the output token but leave the partly-constructed context present in
*context_handle (violating RFC 2744 if this is the first call); in
other cases we leave the output token in the caller's buffer but do
destroy the partly-constructed context. Make this more consistent by
always destroying the output token and partly-constructed context.
(RFC 2744 prefers, but does not require, leaving the
partly-constructed context present on error if it was present on
entry. At the moment we are ignoring that preference.)
[ghudson@mit.edu: Rewrote commit message with more details]
Tom Yu [Fri, 14 Sep 2012 17:55:36 +0000 (13:55 -0400)]
Avoid multiply defining OIDs in tests/gssapi
Declarations of gss_OID_desc mech_krb5, etc. in tests/gssapi/common.h
can result in multiple definitions when the test programs are linked.
Prefix the declarations with "extern" to prevent this.
Factor out some common functions used by multiple test programs. Use
a common argument format for importing names (p:princname,
h:hostbasedname, or u:username) and adjust the Python tests to match
it. Use more consistent conventions in test programs and fix some
coding style issues. Normalize how the test programs are built.
Ben Kaduk [Wed, 12 Sep 2012 18:17:59 +0000 (14:17 -0400)]
Improve LEASHAUTOINIT description
This installer option determines whether the -autoinit argument
is passed to the MIT Kerberos executable.
On startup, if this argument is passed, and if there are no tickets
in the default cache, and if no useful tickets can be imported from
the LSA cache, MIT Kerberos will open the get ticket dialog and prompt
for a password; this option does not appear to have any other effect.
Nicolas Williams [Wed, 12 Sep 2012 16:36:54 +0000 (11:36 -0500)]
Fix lock inconsistency in ctx_unlock()
The lock inconsistency fixed here is quite possibly the same as
described in https://bugzilla.redhat.com/show_bug.cgi?id=586032 .
The problem is that ctx_unlock() fails to unlock the principal DB if
it fails to unlock the policy DB, and this happens when ctx_lock()
fails to lock the policy DB (likely because the caller is racing
against a kdb5_util load, which will be using a "permanent" lock,
meaning that the lock file will be unlinked after acquiring the
lock). The fix is to perform both unlock operations *then* handle
any errors that either or both might have returned.
Additionally, we don't really need or want to use non-blocking locks,
and we certainly don't want to sleep(1) in krb5kdc (possibly several
times, as there was a loop over this) when either of the principal or
policy DB is locked. Some callers still request non-blocking locks,
and ctx_lock() still honors this.
Nicolas Williams [Wed, 12 Sep 2012 02:37:53 +0000 (21:37 -0500)]
Use blocking locks in krb5kdc and libkadm5srv
We don't really need or want to use non-blocking locks, and we certainly
don't want to sleep(1) in krb5kdc (possibly several times, as there was
a loop over this) when either of the principal or policy DB is locked.
Some callers still request non-blocking locks, and ctx_lock() still
honors this.
Nicolas Williams [Wed, 12 Sep 2012 02:32:28 +0000 (21:32 -0500)]
Map CANTLOCK_DB to SVC_UNAVAILABLE in krb5kdc
The KDC should not return KRB5KRB_ERR_GENERIC (KRB_ERR_GENERIC) when the
KDB plugin returns KRB5_KDB_CANTLOCK_DB: it should return
KRB5KDC_ERR_SVC_UNAVAILABLE (KDC_ERR_SVC_UNAVAILABLE) instead. This
allows clients to immediately fallback onto other KDCs.
When we switch to using blocking locks in the db2 KDB backend we'll very
rarely hit this code path, perhaps only when racing against a kdb5_util load.
Other KDB backends might still return KRB5_KDB_CANTLOCK_DB often enough that
this change is desirable.
Ben Kaduk [Wed, 12 Sep 2012 15:35:04 +0000 (11:35 -0400)]
Unregister error message key on library unload
Revision fcdd2de1 added the K5_KEY_GSS_KRB5_ERROR_MESSAGE key, and
registered it in the gssapi library initialization routine, but
did not unregister it in the libary finalization routine.
When the library is unloaded and reloaded in the same process,
this leads to an assertion failure, since we check that
destructors_set[keynum] is zero (no destructor set) when registering
a key in util/support/threads.c.
Unregister the key on library cleanup to resolve the error.
Greg Hudson [Sun, 19 Aug 2012 03:40:29 +0000 (23:40 -0400)]
Introduce gss_export_cred and gss_import_cred
Add gss_export_cred and gss_import_cred mechglue functions to
serialize and unserialize GSSAPI credential handles. Mechanism
implementations and tests will follow.
If a caller sets a responder, it will be invoked after preauth modules
have had a chance to review their incoming padata but before they produce
outgoing padata. The responder will be presented a set of questions with
optional challenges. The responder should then answer all questions it knows
how to handle. Both the answers and the challenges are printable UTF-8 and
may contain encoded, structured data specific to the question asked.
Add two new callbacks and one optional method to the clpreauth
interface. The new method (prep_questions) allows modules to ask questions
by setting them in the responder context using one of the new callbacks
(ask_responder_question). The other new callback (get_responder_answer) is
used by the process method to read the answers to the questions asked.
Since zapfree(str, strlen(str)) won't work for possibly-null values of
str, add a helper zapfreestr() which only calls strlen() if the string
value is non-null.
The file 'checkbox blank.png' is unneeded and contains a space in the
name, unnecessarily interfering with running find | xargs over the
source tree. Remove it.
When the rules from util/k5ev/Makefile.in were moved to
util/verto/Makefile.in, the rule to make rename.h was broken on
non-gmake makes because the definition of SED wasn't carried over.
Define it now.
For the test-vectors target in tests/asn.1, add ASN.1 modules from RFC
4556 and draft-ietf-krb-wg-pkinit-alg-agility-06.txt, and output test
encodings for PrincipalName, KRB5PrincipalName, OtherInfo, and
PkinitSuppPubInfo. In the alg-agility module, AuthPack and DHRepInfo
are renamed, as asn1c otherwise rejects them as conflicting with the
RFC 4556 definitions.
The upstream libverto depends on dynamic loading and in particular on
dladdr(), which is not universal. To avoid this dependency, stub out
support for module loading (by replacing module.c) and instead
integrate the k5ev module directly into the bundled verto library.
This change removes the need to link, include, and invoke libverto
differently depending on whether we're using the bundled library; we
can always just link with -lverto and call verto_default().
We already define EV_USE_REALTIME to 0 to avoid the use of
clock_gettime() (to avoid depending on librt). But in some build
environments libev can detect support for a monotonic clock, which
also results in using clock_gettime(). Define EV_USE_MONOTONIC to 0
as well to prevent this.
Ben Kaduk [Fri, 31 Aug 2012 17:41:26 +0000 (13:41 -0400)]
Use separate components for shortcuts
Since the Start Menu and Desktop are different folders, we should
use different components for the shortcuts in those folders, given
that components operate at directory granularity.
Take the opportunity to use the newer style for installing shortcuts
and registry keys, and make the names more descriptive.
Increment the buildlevel to ensure new files are installed.
ticket: 7348 (new)
subject: Use more meaningfully named registry keys for shortcuts
queue: kfw
target_version: 1.10.4
tags: pullup
Nate Rosenblum [Wed, 29 Aug 2012 18:16:11 +0000 (11:16 -0700)]
Support kdc_timesync offsets in memory ccache
When using v4 file credentials caches, client clock skew offsets
obtained when running with the kdc_timesync option set are persisted in
the ccache. This allows the offsets to be used across separate contexts,
e.g. when obtaining credentials using krb5 interfaces and subsequently
importing those credentials for use in gssapi. This patch adds similar
support for memory credentials caches.
Ben Kaduk [Thu, 23 Aug 2012 16:38:57 +0000 (12:38 -0400)]
Do not emit debug printfs under NODEBUG
These printfs spew to the console when command-line utilities
such as 'klist' and 'aklog' are run, reducing usability.
These printfs can also cause application hangs.
On a multiprocessor machine, when PuTTY and the ccapiserver are
running on different CPUs, PuTTY appears to deadlock with three
concurrent threads inside cci_debug_printf().
Kevin Wasserman [Tue, 21 Aug 2012 15:44:46 +0000 (11:44 -0400)]
Fix KfW thread-local storage allocation issues
Allocate thread-local storage on demand; don't rely on
the DLL_THREAD_ATTACH case in DllMain() since pre-existing
threads will never execute that code.
Ben Kaduk [Thu, 16 Aug 2012 20:03:48 +0000 (16:03 -0400)]
Kill running processes on upgrades/uninstalls
The InstallValidate action of the windows installer will bring up
a dialog informing us that some currently running processes must
be terminated before installation may proceed, and offers to do so,
but does not actually kill the processes. We have our own code to
kill running processes which did not execute, for two reasons:
it was sequenced after InstallValidate, and we did not have a current
list of processes to look for.
Add the right processes to look for and kill, and use our own
process-killing code since it actually works.
Ben Kaduk [Wed, 15 Aug 2012 18:50:42 +0000 (14:50 -0400)]
Make finding 32-bit libs easier
Our 64-bit installer provides 32-bit libraries as well as 64-bit
libraries, but not all 32-bit applications (e.g., PuTTY, Pidgin)
are able to locate them in C:\Program Files\MIT\Kerberos .
Including an InstallDir key under the Wow6432Node tree lets them
work out-of-the-box; while here set all the registry keys in this
component in the compatibility tree, for consistency.
projects / thirdparty / krb5.git / log
