Greg Hudson [Mon, 20 Oct 2014 16:52:45 +0000 (12:52 -0400)]
Report output ccache errors getting initial creds
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
Tom Yu [Thu, 16 Oct 2014 19:40:33 +0000 (15:40 -0400)]
Parse "ktadd -norandkey" in remote kadmin client
The remote kadmin client would not parse the "-norandkey" option to
the ktadd subcommand, terminating option parsing and possibly causing
options to be interpreted as principal names.
Greg Hudson [Wed, 8 Oct 2014 00:22:52 +0000 (20:22 -0400)]
Use gssalloc_malloc for GSS error tokens
In kg_accept_krb5, use gssalloc_malloc when allocating space for the
error token, since it will be freed with gssalloc_free. Using malloc
can cause heap corruption on Windows. This bug was masked by #1445
before 1.12.
Greg Hudson [Thu, 21 Aug 2014 17:52:07 +0000 (13:52 -0400)]
Return only new keys in randkey [CVE-2014-5351]
In kadmind's randkey operation, if a client specifies the keepold
flag, do not include the preserved old keys in the response.
CVE-2014-5351:
An authenticated remote attacker can retrieve the current keys for a
service principal when generating a new set of keys for that
principal. The attacker needs to be authenticated as a user who has
the elevated privilege for randomizing the keys of other principals.
Normally, when a Kerberos administrator randomizes the keys of a
service principal, kadmind returns only the new keys. This prevents
an administrator who lacks legitimate privileged access to a service
from forging tickets to authenticate to that service. If the
"keepold" flag to the kadmin randkey RPC operation is true, kadmind
retains the old keys in the KDC database as intended, but also
unexpectedly returns the old keys to the client, which exposes the
service to ticket forgery attacks from the administrator.
A mitigating factor is that legitimate clients of the affected service
will start failing to authenticate to the service once they begin to
receive service tickets encrypted in the new keys. The affected
service will be unable to decrypt the newly issued tickets, possibly
alerting the legitimate administrator of the affected service.
If gss_acquire_cred_impersonate_name is called using an
impersonator_cred_handle acquired with GSS_C_ACCEPT, we could
dereference null fields of the cred handle and crash. Fix this by
checking the impersonator_cred_handle usage and returning
GSS_S_NO_CRED if it isn't what we expect, just as we do in
init_sec_context.
Based on a patch from Solly Ross <sross@redhat.com>.
If two processes try to initialize the same replay cache at the same
time, krb5_rc_io_creat can race between unlink and open, leading to a
KRB5_RC_IO_PERM error. When this happens, make the losing process
retry so that it can continue.
This does not solve the replay cache creation race, nor is that the
only replay cache race issue. It simply prevents the race from
causing a spurious failure.
Restore providing password TGTs for the ksu target
The use of "stored" was originally for marking whether or not creds
had been found in the source cache and copied to the target. If it was
false, the obtain-a-TGT-using-a-password path would be triggered and
it would populate the target ccache directly.
When the intermediate cache was introduced (in commit dccc80a), the
variable started marking whether or not creds had been copied to the
intermediate cache, and this was then used to decide whether or not to
copy creds to the target cache.
The obtain-a-TGT-using-a-password path began storing its creds in the
temporary cache as well, but neglected to set the flag so that the
creds would be copied to the target cache later, so the target ccache
would never be created and populated with the newly-obtained TGT.
In order to allow ksu to use any locally-present service key for
verifying creds, the previous change to ksu switched from using a
retrieved or obtained TGT to fetch creds for the local "host" service,
and then passing those creds to krb5_verify_init_creds(), to passing the
retrieved TGT directly to krb5_verify_init_creds().
It did not take care to retrieve the TGT from the temporary ccache if it
had obtained them, and in those cases it would attempt to verify NULL
creds.
Modify the krb5_get_tkt_via_passwd() function to call
krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
options structure, and rename it to ksu_get_tgt_via_passwd().
Ben Kaduk [Thu, 21 Aug 2014 22:56:24 +0000 (18:56 -0400)]
Let libgssapi see TGTs in the MSLSA cache
When the current user is a local administrator of a windows machine
where User Account Control (UAC) is enabled, the Windows LSA will
return a block of zeros as the session key for any TGT entry in the
MSLSA: cache. The lcc_retrieve() implementation checks for such
"null" session keys and prevents them from escaping to callers (as
attempts to use them would encounger strange errors). However,
when the TGT is the only entry in the cache, this filtering prevents
scan_ccache() from detecting that the cache contains non-expired
credentials (and that there is a TGT present).
Since scan_ccache() is only looking at metadata in the cache entries,
and does not need to actually use any tickets or session keys, set
the KRB5_TC_NOTICKET flag on the ccache before scanning it. This
will allow the MSLSA implementation to return a cred for the TGT
entry and cause the GSSAPI credential selection algorithm to function
properly.
Ben Kaduk [Thu, 21 Aug 2014 21:33:11 +0000 (17:33 -0400)]
Add some KDC entries to the registry via WiX
Though our library happily uses DNS, I can't get Windows to
successfully contact KDCs found through the SRV records.
So, we do need to stay in the business of shipping around
KDC entries, after all.
In ksu, handle typeless default_ccache_name values
When a configured or compiled-in default ccache name doesn't contain a
cache type and ':' as a prefix, add one to the writeable value that we
construct when we go to look it up. This lets the rest of the
application always assume that it'll be there.
Greg Hudson [Mon, 25 Aug 2014 16:48:14 +0000 (12:48 -0400)]
Re-encrypt preserved key data in new master key
When we are preserving old key data in kdb_cpw.c, ensure that it is
encrypted with the same master key as the new key data. This ensures
that the KRB5_TL_MKVNO tl-data on the principal entry applies to all
of the key data, not just some of it.
Benjamin Kaduk [Wed, 3 Sep 2014 02:16:51 +0000 (22:16 -0400)]
Update NOTICE with new changes for 1.13
The KCM RPC definitions are copyright KTH/Apple, since it is present
for interoperability with OS X.
Add MS-KKDCP client copyright; alas, it does not match the existing
Red Hat copyrights, since the new code is a 2-clause BSD license, and
there was only a 3-clause Red Hat copyright block present already.
The actual Sphinx output for NOTICE would adjust the wrapping and
indentation of some existing content, but those changes were removed
by hand, so this commit only reflects new added content.
Tom Yu [Tue, 26 Aug 2014 22:18:02 +0000 (18:18 -0400)]
Allow logger.c to work with redirected stderr
In lib/kadm5/logger.c:krb5_klog_init(), if the configuration requests
STDERR logging, call fdopen() using mode "w" instead of "a+", to avoid
errors when stderr happens to be opened for write only.
Ben Kaduk [Thu, 28 Aug 2014 21:54:39 +0000 (17:54 -0400)]
Map .hin files to the C language for doxygen
In Debian unstable, the current version of doxygen is unhappy with
our generated Doxyfile, and does not handle krb5.hin in the expected
fashion (as a C header). Work around this issue by explicitly
specifying that files with the .hin extension are to be treated
as C language files.
Ben Kaduk [Fri, 29 Aug 2014 02:58:49 +0000 (22:58 -0400)]
Export gssrpc_bindresvport_sa
It was added in commit 0d04b60d159ab83b943e43802b1449a3b074bc83, but
was not added to the library export symbol list, and thus was unusable
on systems that enforced library export lists.
Greg Hudson [Mon, 18 Aug 2014 19:09:41 +0000 (15:09 -0400)]
Make randkey update principal mkvno
In kadm5_randkey_principal_3, after updating the principal's keys,
update its mkvno tl-data to indicate the master key version we
encrypted the new keys with.
Tomas Kuthan [Wed, 28 May 2014 13:24:20 +0000 (15:24 +0200)]
kadm5_randkey_principal interop with Solaris KDC
When kadm5_randkey_principal is called on Solaris kadmind (as opposed
to kadm5_randkey_principal_3), the KDC assumes the peer is a Solaris 9
system, and only creates DES keys.
For better interoperability, always call kadm5_randkey_principal_3
first. If this procedure is not present on the remote server, fall
back to calling kadm5_randkey_principal if possible.
Nalin Dahyabhai [Tue, 19 Aug 2014 18:07:26 +0000 (14:07 -0400)]
Simplify and improve ksu cred verification
When verifying the user's initial credentials, don't compute a server
name and preemptively obtain creds for it. This change allows
krb5_verify_init_creds to use any host key in the keytab, and not just
the one for the canonicalized local hostname.
Michael Osipov [Fri, 15 Aug 2014 12:20:10 +0000 (14:20 +0200)]
Fix test syntax in configure.in
Commits 1e4bdcfe and 8df1965d used the wrong test equality operator.
Some versions of test allow == for equality, but others (such as the
HP-UX version) do not. Use a single = for correctness.
Michael Osipov [Thu, 14 Aug 2014 13:48:11 +0000 (15:48 +0200)]
Fix HP-UX build support
Rename hpux10.exports to hpux.exports. In the HP-UX section of
shlib.conf, remove '+s' because it just specifies a default, add a
MAKE_SHLIB_COMMAND, and set SHLIBEXT based on the host CPU.
Greg Hudson [Fri, 8 Aug 2014 17:32:51 +0000 (13:32 -0400)]
Allow SPNEGO fallback to NTLM without mechlistMIC
For interoperability with Windows Server 2003 and earlier, loosen the
initiator's enforcement of RFC 4178's mechlistMIC requirement when
falling back to NTLMSSP.
[ghudson@mit.edu: rewrote commit message, added comment to NTLMSSP
OID]
Greg Hudson [Fri, 8 Aug 2014 20:50:38 +0000 (16:50 -0400)]
Fix GSS krb5 GSS_C_DELEG_FLAG ret_flags result
The krb5 gss_accept_sec_context could erroneously return
GSS_C_DELEG_FLAG in ret_flags if either:
* The token included the GSS_C_DELEG_FLAG but did not include at least
28 bytes in the authenticator checksum.
* The initial token included the GSS_C_DELEG_FLAG but a DCE-style
exchange was performed.
When generating a suffix to append to a ccache name that will hold the
credentials for a ksu-invoked process, instead of using integers
counting up from 1, use the result of base64-encoding six randomly-
generated octets. Tweak the output alphabet just a bit to avoid using
'+' or '/' in the generated names, the latter of which could really
confuse things.
Nalin Dahyabhai [Thu, 31 Oct 2013 01:47:14 +0000 (21:47 -0400)]
Make ksu respect the default_ccache_name setting
Move the logic for resolving and initializing a cache that we're
copying creds into out of krb5_ccache_copy(), and let the caller deal
with it. Add a helper functions to select/resolve an output ccache in
the default location for the target user after we've switched to the
target user's privileges. If the destination is a collection, take
care not to change which subsidiary is its primary, and reuse a
subsidiary cache if we can. If the destination is not a collection,
append a unique value to its name to make a new ccache.
[ghudson@mit.edu: some changes to variable names and comments; move
responsibility for getting target ccache name from
resolve_target_ccache to main]
Nalin Dahyabhai [Thu, 31 Oct 2013 01:45:35 +0000 (21:45 -0400)]
Use an intermediate memory cache in ksu
Instead of copying source or obtained creds into the target cache and
changing ownership if everything succeeds, copy them into a MEMORY:
cache and then, if everything succeeds, create the target cache as the
target user.
We no longer need to clean up the temporary ccache when exiting in
most error cases.
Use a fake principal name ("_ksu/_ksu@_ksu") as the primary holder of
the temporary cache so that we won't accidentally select it when we
make a subsequent call to krb5_cc_cache_match() (to be added in a
later patch) to find the target location where the creds should be
stored for use while running as the target user.
Nalin Dahyabhai [Fri, 1 Nov 2013 13:48:13 +0000 (09:48 -0400)]
In ksu, don't stat() not-on-disk ccache residuals
Don't assume that ccache residual names are filenames which we can
stat() usefully. Instead, use helper functions to call the library
routines to try to read the default principal name from caches, and
use whether or not that succeeds as an indication of whether or not
there's a ccache in a given location.
In ksu, merge krb5_ccache_copy() and _restricted()
Other than whether or not they limit the creds it stores to the new
ccache based on the principal name of the client for whom the creds were
issued, there's no meaningful difference between what these two
functions do. Merge them.
Tomas Kuthan [Fri, 1 Aug 2014 13:25:50 +0000 (15:25 +0200)]
Fix LDAP key data segmentation [CVE-2014-4345]
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno. As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values. Fix the loop to use
the correct kvno value.
CVE-2014-4345:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations. An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present. After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array. The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.
Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated. Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.
Tom Yu [Wed, 6 Aug 2014 22:45:20 +0000 (18:45 -0400)]
Disallow unlocked iteration of hash databases
It's not clear whether unlocked iteration over a hash DB2 database
will omit unaffected entries if database additions or deletions occur
concurrently with the iteration. Avoid this situation by disabling
unlocked iteration in the unlikely event that someone is still using a
hash database for their KDB.
Greg Hudson [Tue, 5 Aug 2014 03:34:32 +0000 (23:34 -0400)]
Fix glob memory leak in GSS initialization
In loadConfigFiles, call globfree even if glob fails, since glob can
allocate memory and report partial results on failure. Also
initialize globbuf before calling glob; this is not strictly required,
but hedges against hypothetical libc implementation bugs which could
leave globbuf.gl_pathc or globbuf.gl_pathv uninitialized on error.
Tom Yu [Wed, 6 Aug 2014 19:03:03 +0000 (15:03 -0400)]
Fix KDC race in t_unlockiter.py
The second KDC startup in t_unlockiter.py could race with the
garbage-collected shutdown of the first, causing the second one to
fail to bind the listening port. Avoid the situation by setting
start_kdc=False, because there doesn't need to be a KDC running for
these tests anyway. Also use create_user=False and create_host=False,
because those principals aren't necessary either.
Ben Kaduk [Wed, 6 Aug 2014 16:49:52 +0000 (12:49 -0400)]
Fix OS X build
Commit 58312ae8beb0499ac3a06196164eb833e9f8975e, "Fix the build on
windows", had a typo that broke the build of KCM support on OS X.
Attempt to increment the cardinality of the set of buildable platforms,
instead of just adjusting its contents, by fixing the typo.
Ben Kaduk [Tue, 5 Aug 2014 15:11:45 +0000 (11:11 -0400)]
Fix the build on windows
Windows does not provide the glob() functionality used to implement
the /etc/gss/mechs.d/ feature, so we must avoid compiling the
relevant code for windows. (It would never have been called, anyway.)
Adjust the ccache/Makefile.in rules to not use '-' or '@' in
make variable names that are processed by nmake.
Also in ccache/Makefile.in, remove some latent leading whitespace that
had been previously hidden by the previous rule; this exposed some
flawed dependencies that are now removed.
Windows does not provide sys/socket.h or sys/un.h, so don't try
to include them in cc_kcm.c.
The commit which moved the KKDCP TLS support to a plugin left some
dangling references to checkhost.c byproducts in os/Makefile.in,
which can be safely removed.
Use k5-platform.h in support/json.c instead of a set of system includes;
this lets windows build the static inline helper functions therein.
When ksu was explicitly told to spawn a shell, a line in .k5users which
listed "*" as the allowed command would cause the principal named on the
line to be considered as a candidate for authentication.
When ksu was not passed a command to run, which implicitly meant that
the invoking user wanted to run the target user's login shell, knowledge
that the principal was a valid candidate was ignored, which could cause
a less optimal choice of the default target principal.
This doesn't impact the authorization checks which we perform later.
Tom Yu [Mon, 4 Aug 2014 16:34:24 +0000 (12:34 -0400)]
Correct includes for unlockiter.c
Some platforms (e.g., Solaris) need a declaration of memset() for the
FD_ZERO() macro to work, contrary to POSIX standards. Add an
inclusion of <string.h> to accommodate them. Also add <sys/time.h>,
possibly needed by some older platforms, and remove a spurious
inclusion of <sys/socket.h>.
Tom Yu [Sat, 2 Aug 2014 18:20:35 +0000 (14:20 -0400)]
Ignore iprop deletion of deleted princ
Now that an iprop full dump might not hold a lock around the entire
dump, it's possible that iprop will queue an incremental update while
the dump is in progress. If a principal is deleted while the dump is
in progress, the dump could omit that principal, yet the deletion
event would still be queued in the ulog. Ignore that deletion without
generating an error.
This is the same basic change as for ticket #7753.
Tom Yu [Sat, 2 Aug 2014 18:20:33 +0000 (14:20 -0400)]
Support unlocked iteration in DB2
Add support to the DB2 KDB back end to optionally release the lock
when calling the iterator callback. This prevents the blocking of
other processes when dumps of large databases are taking place.
Tom Yu [Sat, 2 Aug 2014 18:20:33 +0000 (14:20 -0400)]
Use write lock flag for update_princ_encryption
In kdb5_util update_princ_encryption, instead of getting a write lock
on the KDB surrounding the call to krb5_db_iterate(), use the
iterflags parameter of krb5_db_iterate() to request that it obtain a
write lock around the iteration.
Neng Xue [Fri, 11 Jul 2014 23:04:42 +0000 (16:04 -0700)]
Add kiprop/<master-hostname> during KDB creation
To reduce the number of steps in the deployment of iprop, create the
kiprop/hostname principal for the master KDC during KDB creation.
Adjust tests to match the new behavior.
If we do not find a default ccache value from krb5-config and we
detect that the host platform is OS X 10.7 or higher, use KCM: as the
default ccache name instead of FILE:/tmp/krb5cc_%{uid}.
Add a new credential cache type "KCM" which performs cache operations
by speaking to a Heimdal or OS X KCM daemon, via either Unix domain
sockets or (on OS X only) Mach RPC. Add "kcm_socket" and
"kcm_mach_service" profile variables to control the socket path and
bootstrap service name respectively. In ccmarshal.c, add
k5_marshal_mcred to marshal matching credentials in the KCM protocol
representation.
This cache type is not currently supported on Windows, as Windows does
not support Unix domain sockets.
As with the keyring cache type, the lastchange method of this cache
type is mostly useless, reporting only the time of the last change
made through that cache handle. The KCM protocol currently has no
support for obtaining the last change time of the cache itself.
Make k5_marshal_cred and k5_marshal_princ write to an existing struct
k5buf instead of allocating a new one, so that they can be marshalled
before or after other data.
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
Add three new libprofile tests to prof_test1, two to test for the bugs
in #7971 and one to test a bug which would have been introduced by a
candidate fix.
profile_rename_section should demand only one name.
profile_add_relation should demand only one name if it is creating a
new section. It aso needs to reset state before calling
profile_find_node for the section, in case it didn't look up any
parent sections previously.
In profile_find_node, skip deleted nodes when finding the second
match. Otherwise, profile_clear_nodes could return an error if a node
has some values to clear but the last one is deleted.
In profile_node_iterator, skip deleted nodes when looking up the
section names. Otherwise we could iterate over a deleted section
and/or ignore its replacement.
To work around a historical bug in Samba, the SPNEGO initiator treats
a counterproposal as matching the optimistic token if both are aliases
for the krb5 mech. When IAKERB support was added (#6712), IAKERB was
unintentionally added to the set of mech OIDs which were considered to
be krb5 aliases for this purpose.
Remove IAKERB from gss_mech_set_krb5_both and create a new internal
mech set, kg_all_mechs, for use by krb5_gss_indicate_mechs.
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
David Woodhouse [Tue, 15 Jul 2014 16:54:15 +0000 (12:54 -0400)]
Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
Greg Hudson [Mon, 16 Jun 2014 17:15:33 +0000 (13:15 -0400)]
Document LDAP SASL configuration
Document the LDAP SASL profile tags and DB options. For consistency,
also condense the kdc.conf documentation for the two bind DN variables
into one entry.
Greg Hudson [Mon, 16 Jun 2014 16:41:03 +0000 (12:41 -0400)]
Add SASL support to LDAP KDB module
Add variables for the SASL mechanism, authcid, authzid, and realm. If
a SASL mechanism is set, perform an interactive bind with that
mechanism. If <sasl/sasl.h> is found at build time, provide the
authcid, authzid, and realm in the interaction function, and provide a
SASL secret read from the service password file (under the authcid) if
we found one.
Based on a patch from Zoran Pericic <zpericic@netst.org>.
Greg Hudson [Mon, 9 Jun 2014 19:23:25 +0000 (15:23 -0400)]
Modernize some LDAP sources
Bring ldap_misc.c up to date with current practices and make limited
changes to other files. Of note:
* krb5_decode_krbsecretkey was freeing its bvalues argument; make that
the caller's responsibility.
* Make is_principal_in_realm and has_modify_increment return
krb5_boolean, reversing the sense of their results.
* Remove broken code path in decode_tl_data when an integer value has
a length other than 2 (which should never happen).
* Simplify krb5_ldap_readpassword and make it take filename/name
parameters instead of an LDAP context.
* Make krb5_ldap_bind (renamed to authenticate) responsible for
setting a useful error message, so that its caller doesn't assume
knowledge of the bind parameters.
* Make krb5_ldap_initialize (renamed to initialize_server) responsible
for updating the handle list, and remove the otherwise unused
krb5_update_ldap_handle.
* Remove remaining skeletal certificate support, including the unused
has_sasl_external_mech function.
* Remove unused krb5_get_containerdn and KDB_TL_CONTAINERDN.
* Remove kdb_xdr.h; all of its prototypes were for functions that
don't exist in the module or were duplicated in other headers.
* Remove krb5_ldap_get_strings and use ldap_get_values directly at
its call sites; there was no need to copy the result.
Make the configure option for TLS implementation more generic, in case
we use the k5tls module for something other than KDC proxy support.
Rename all of the associated symbols for consistency.
Greg Hudson [Sun, 22 Jun 2014 14:42:14 +0000 (10:42 -0400)]
Move KKDCP OpenSSL code to an internal plugin
Create an internal pluggable interface "tls" with one in-tree dynamic
plugin module named "k5tls". Move all of the OpenSSL calls to the
plugin module, and make the libkrb5 code load and invoke the plugin.
This way we do not load or initialize libssl unless an HTTP proxy is
used.
Remove copyright statement added to bindresvport.c
Andreas's copyright statement was added to the Oracle license
statement by mistake; the code changes made to turn bindresvport into
bindresvport_sa are minimal. Remove it with Andreas's permission.
In prng_fortuna.c, if krb5_c_random_make_octets detects that we do not
have entropy, set an error message saying that the random number
generator could not be seeded, as we likely failed previously to read
from /dev/urandom or the Windows equivalent.
Michael Mattioli [Tue, 15 Jul 2014 16:48:58 +0000 (12:48 -0400)]
Improve indentation of t_otp.py
Move the RADIUS attribute dictionary text to a global variable defined
at indent level 0, so that we don't go back to indent level 0 in the
middle of the RadiusDaemon class definition.
[ghudson@mit.edu: clarified commit message, moved comment, changed
variable name]
Lukas Slebodnik [Sat, 21 Jun 2014 14:43:12 +0000 (16:43 +0200)]
Avoid closing fd -1 in libkrad
If a krad_remote is released before its fd is set, we could close the
file descriptor -1, which is harmless but incorrect. Check the fd in
remote_disconnect to avoid this.
[ghudson@mit.edu: clarified commit message, minor style change]
projects / thirdparty / krb5.git / log
