Ben Kaduk [Mon, 25 Feb 2013 18:12:33 +0000 (13:12 -0500)]
Fix windows build
Catch up to the split of preauth_plugin.h into client and
kdc specific portions. While here, use copy's /y flag to suppress
an override-confirmation prompt (though we do not list any dependencies
for this target at the moment, so no such prompt will be generated).
Greg Hudson [Thu, 21 Feb 2013 17:36:07 +0000 (12:36 -0500)]
Fix fd leak in DIR ccache cursor function
If dcc_ptcursor_next reached the end of a directory, it called free()
on the directory handle instead of closedir(), causing the directory
fd to be leaked. Call closedir() instead.
Greg Hudson [Wed, 20 Feb 2013 17:06:12 +0000 (12:06 -0500)]
Fix memory leak closing DIR ccaches
A ccache type's close function is supposed to free the cache container
as well as the type-specific data. dcc_close was not doing so,
causing a small memory leak each time a ccache is created or
destroyed.
Greg Hudson [Sun, 17 Feb 2013 17:44:45 +0000 (12:44 -0500)]
Allow multi-hop SAM-2 exchanges
Prior to 1.11, it was possible to do SAM-2 preauth exchanges with
multiple hops by sending repeated preauth-required errors with
different challenges (which is not the way multi-hop exchanges are
described in RFC 6113, but it can still work). This stopped working
when SAM-2 was converted to a built-in module. Make it work again.
Xi Wang [Thu, 14 Feb 2013 23:17:40 +0000 (18:17 -0500)]
PKINIT null pointer deref [CVE-2013-1415]
Don't dereference a null pointer when cleaning up.
The KDC plugin for PKINIT can dereference a null pointer when a
malformed packet causes processing to terminate early, leading to
a crash of the KDC process. An attacker would need to have a valid
PKINIT certificate or have observed a successful PKINIT authentication,
or an unauthenticated attacker could execute the attack if anonymous
PKINIT is enabled.
Jonathan Reams [Fri, 15 Feb 2013 07:11:57 +0000 (02:11 -0500)]
Convert success in krb5_chpw_result_code_string
Result code 0 used to be converted properly by krb5_set_password,
though not krb5_change_password; this changed in 1.10 when
krb5int_setpw_result_code_string was folded into
krb5_chpw_result_code_string. Restore the old behavior, and make it
apply to krb5_change_password as well, by making
krb5_chpw_result_code_string convert result code 0.
Greg Hudson [Tue, 30 Oct 2012 21:17:45 +0000 (17:17 -0400)]
Make internal JSON functions return error codes
Return error codes (0, ENOMEM, or EINVAL) from JSON support functions
instead of returning results directly. This makes error handling
simpler for functions which assemble JSON objects and then return a
krb5_error_code values. Adjust all callers. Use shims in
export_cred.c to minimize changes there; it will be redesigned
internally in a subsequent commit.
Greg Hudson [Tue, 12 Feb 2013 02:13:15 +0000 (21:13 -0500)]
Fix RFC 5587 const pointer typedefs
gss_const_ctx_id_t, gss_const_cred_id_t, and gss_const_name_t are
supposed to be const pointers to the appropriate structures, not the
structures themselves. These are not used by any prototypes yet, and
no application would have any reason to use them as they are, so it
should be safe to change them within the public header.
Greg Hudson [Sat, 9 Feb 2013 05:43:35 +0000 (00:43 -0500)]
Add and use k5memdup, k5memdup0 helpers
Add k5-int.h static functions to duplicate byte ranges, optionally
with a trailing zero byte, and set an error code like k5alloc does.
Use them where they would shorten existing code.
Greg Hudson [Fri, 8 Feb 2013 06:59:19 +0000 (01:59 -0500)]
Simplify TGS request construction
Move krb5int_make_tgs_request from gc_via_tkt.c into send_tgs.c,
combine it with krb5int_make_tgs_request_ext (which nothing else
called), and rename the combined function to k5_make_tgs_req. Also
use a typedef for the pacb callback.
Greg Hudson [Sun, 3 Feb 2013 17:25:10 +0000 (12:25 -0500)]
Add kprop Python tests
Create a K5Realm.kprop_port method so test scripts can invoke kprop
usefully, and create a simple Python test script exercising the same
kprop functionality as the dejagnu suite's kprop.exp.
Greg Hudson [Sun, 3 Feb 2013 18:21:34 +0000 (13:21 -0500)]
Make kprop/kpropd work with RC4 session key
In krb5_auth_con_initivector and mk_priv/rd_priv, stop assuming that
the enctype's block size is the size of the cipher state. Instead,
make and discard a cipher state to get the size.
Greg Hudson [Wed, 6 Feb 2013 19:49:09 +0000 (14:49 -0500)]
Refactor dump.c
When dumping, use a common iterator function to unpack the dump_args
structure, unparse and filter the principal name, and convert master
keys. Add helper functions to dump and load the "octets or -1" format
used for optional binary fields in the current dump format.
Greg Hudson [Tue, 5 Feb 2013 05:31:23 +0000 (00:31 -0500)]
Reorder dump.c
Without changing anything (except to make a few internal functions
static), reorder dump.c to bottom-up order so that forward function
declarations aren't needed.
Greg Hudson [Mon, 4 Feb 2013 23:21:45 +0000 (18:21 -0500)]
Add more tests for dump and load
Move the existing dump/load tests from t_general.py to a new script
t_dump.py. Add additional tests using pre-created dumpfiles, to
exercise the -r18, -r13, -b7, and -ov formats.
Greg Hudson [Mon, 4 Feb 2013 19:01:40 +0000 (14:01 -0500)]
Simplify kdb5_util create using a null password
kadm5_create_principal now uses a random key if passed a null
password, so we don't need a multi-step process to create admin
principals when creating a database any more.
Greg Hudson [Fri, 1 Feb 2013 16:52:48 +0000 (11:52 -0500)]
Fix kdb5_util dump.c uninitialized warnings
Some versions of clang report an uninitialized variable warning (which
we treat as an error) in process_k5beta_record. Due to the if-ladder
style of the function, uninitialized tmpint values can be copied
around in certain error cases, although the garbage values would be
ultimately ignored. As a minimal fix, initialize the tmpint
variables.
Greg Hudson [Fri, 1 Feb 2013 07:14:45 +0000 (02:14 -0500)]
Simplify LDAP password decoding
Make dec_password a static function in ldap_service_stash.c and remove
some impedance mismatch with krb5_ldap_readpassword() by making it
operate on C strings and return a krb5_error_code.
Tom Yu [Fri, 18 Jan 2013 04:29:59 +0000 (23:29 -0500)]
Reduce copied code in layout.html
layout.html unneccesarily copied code from the parent
agogo/layout.html content block just to alter the sidebar. Override
various subblocks of the sidebar instead.
Tom Yu [Fri, 18 Jan 2013 03:58:46 +0000 (22:58 -0500)]
Consolidate style settings in kerb.css
Move style settings that were previously in layout.html to kerb.css.
Rename kerb.css kerb.css_t, making it a template, to allow
parameterized style settings to remain parameterized.
Greg Hudson [Thu, 31 Jan 2013 18:40:36 +0000 (13:40 -0500)]
Remove partial LDAP client cert support
The LDAP KDB module has some code to interpret {FILE} values in stash
files, and set the service_cert_path/pass fields in the ldap context.
But there was no code to actually use those values to do client cert
authentication, so it wasn't useful. Remove the partial
implementation.
Viktor Dukhovni [Thu, 31 Jan 2013 03:58:50 +0000 (22:58 -0500)]
Fix COPY_FIRST_CANONNAME hostent search
In fake-addrinfo.c, the COPY_FIRST_CANONNAME logic erroneously assumes
that h_name is the same as h_aliases[0]. Look at h_name before
h_aliases for an FQDN, since h_name is normally the
forward-canonicalized name and h_aliases are not.
Greg Hudson [Thu, 31 Jan 2013 07:15:59 +0000 (02:15 -0500)]
Revert previous change to process_tgs_req
Commit c072b059ecff257e7600be0e86869decd135d422 did not have the
intended effect because, at the point where is_referral is set,
request->server has already been modified to contain server->princ.
Greg Hudson [Thu, 31 Jan 2013 06:26:22 +0000 (01:26 -0500)]
Fix is_referral flag in KDC TGS code
A server response which is a cross-realm TGT is not a referral if it
was directly requested by the client. Misclassifying such a response
as a referral means we don't mirror the request's name type, which has
been observed to break older Java clients.
Greg Hudson [Tue, 29 Jan 2013 18:13:04 +0000 (13:13 -0500)]
Fix prepend_err_str in LDAP KDB module
Use the oerr parameter to fetch the existing message. Stop handling
oerr == 0, since no call sites were using it. Free the old error
message before returning.
Greg Hudson [Tue, 29 Jan 2013 01:15:01 +0000 (20:15 -0500)]
Refactor LDAP DB option parsing code
krb5_ldap_open and krb5_ldap_create contain two large, almost
identical blocks of DB option processing code. Factor it out into a
new function krb5_ldap_parse_db_params in ldap_misc.c, and simplify
the factored-out code. Create a helper function to add server entries
and use it to simplify krb5_ldap_read_server_params as well as DB
option parsing. Since the new DB option helper uses isspace instead
of isblank, we no longer require portability goop for isblank.
Greg Hudson [Fri, 25 Jan 2013 23:59:09 +0000 (18:59 -0500)]
Make kproplog handle underfull iprop logs
kproplog currently assumes that an iprop log is full once it has
circled--which is true right now but will need to change for
hierarchical slaves. Avoid this assumption by using the correct
index modulus in print_update whether or not the log is full.
Based on a patch from Richard Basch <basch@alum.mit.edu>.
Greg Hudson [Thu, 24 Jan 2013 18:13:36 +0000 (13:13 -0500)]
Adjust kdb5.c check for ulog being mapped
Check the ulog pointer, which is a little more direct, rather than the
ulogfd field. (ulogfd is currently initialized to 0 prior to
ulog_map; we could fix that instead, but this feels simpler.)
Nicolas Williams [Thu, 25 Oct 2012 23:26:10 +0000 (18:26 -0500)]
Remove ulog_check(); the ulog is not a DB journal
The db2 DB is not power-fail safe. There's no point trying to
replay an incompletely committed entry from the ulog at kadmind
startup time. For that matter, even if the db2 DB was power-fail
safe there'd be no point replaying an uncommitted entry from the
ulog as the libkadm5srv app (nor any client of it, as in the case of
kadmind) will not have received any notice of success -- it'd be
wrong to complete that operation later when the user thought it'd
failed.
[ghudson@mit.edu: merge with master, adjust comment]
Greg Hudson [Wed, 23 Jan 2013 03:29:30 +0000 (22:29 -0500)]
Propagate policy changes over iprop via full dump
Since iprop cannot carry policy changes, force a full resync to happen
each time a policy change occurs. Based on a patch from
Richard Basch <basch@alum.mit.edu>.
Greg Hudson [Wed, 23 Jan 2013 03:12:51 +0000 (22:12 -0500)]
Verify iprop test results more thoroughly
In k5test.py, allow run_kadminl to take an environment argument. In
t_iprop.py, perform some queries on the slaves after each propagation
to spot-check that it got modifications from master. Use a helper
function to check serial numbers for conciseness.
Greg Hudson [Tue, 22 Jan 2013 22:42:37 +0000 (17:42 -0500)]
Fix iprop log reinitialization
If the master iprop log is reinitialized to serial number 0, slaves
will need to take a full dump--but after that happens, we need to know
whether the slave has taken that full dump, we we don't offering full
dumps indefinitely.
So, record a timestamp in kdb_last_time when we reinitialize the log
header, and compare the slave timestamp to kdb_last_time whenever it
has the current serial number, even if it's 0. Test this by
performing a propagation with sno 0 in t_iprop.py and detecting
whether kpropd gets a second UPDATE_FULL_RESYNC_NEEDED response from
kadmind.
Greg Hudson [Fri, 18 Jan 2013 07:01:55 +0000 (02:01 -0500)]
Clean up iprop flow control in kdb5.c
Add a helper predicate to determine whether to log operations. In the
predicate, check if the ulog is actually mapped. Use a single cleanup
label in krb5_db_put_principal. Use a cleanup label in
krb5_db_delete_principal instead of releasing resources individually
at each exit point. Avoid locking and unlocking the ulog if we're not
logging (although it would be a no-op).
Based on a patch from Nico Williams <nico@cryptonector.com>.
Greg Hudson [Wed, 16 Jan 2013 16:38:55 +0000 (11:38 -0500)]
Get rid of krb5_read_realm_params
Read realm parameters directly from the profile in the KDC's
init_realm(), getting rid of the intermediate krb5_realm_params
structure. Then get rid of krb5_realm_params and
krb5_read_realm_params, since nothing else uses it.
Greg Hudson [Sun, 13 Jan 2013 15:54:37 +0000 (10:54 -0500)]
Remove KDC macros for realm config fields
Stop using macros to refer to kdc_realm_t fields, as they could
conflict with structure field names for the same. Leave behind the
kdc_context and tgs_server macros for now.
Greg Hudson [Tue, 15 Jan 2013 13:43:10 +0000 (08:43 -0500)]
Remove unused krb5_realm_params fields
krb5_realm_params is only consumed by the KDC (everything else uses
kadm5_config_params), so only needs to contain fields used by the KDC.
Get rid of everything else. Also get rid of realm_profile, which is
read in by KDC code but never used (and was never set anyway).
Zhanna Tsitkov [Mon, 14 Jan 2013 18:54:25 +0000 (13:54 -0500)]
Help Sphinx to diff C-types for better x-reference
In some cases Doxygen xml output does not provide accurate classification
of the various C-types, thus preventing the full documentation x-referencing.
Give some hints to the Doxy/RST bridge.
Greg Hudson [Sat, 12 Jan 2013 05:21:07 +0000 (00:21 -0500)]
Clean up style of alt_prof.c
Get rid of K&R-style function headers, format code and comments
consistently according to current conventions, rename some variables
using idiomatic names, and de-indent some nested control blocks.
Greg Hudson [Fri, 11 Jan 2013 23:32:55 +0000 (18:32 -0500)]
Use [out] more sparingly in doxygen markup
In krb5.hin doxygen markup, only use [out] or [in,out] when a function
changes the entire value of what the parameter points to, not when the
function mutates a larger object (especially an abstract object).
Also remove a couple of incorrect [in] annotations, change a few
parameter descriptions to be more consistent, and fix one typo.
Zhanna Tsitkov [Fri, 11 Jan 2013 20:40:28 +0000 (15:40 -0500)]
Better doxygen markup for RESPONDER_QUESTION_OTP
Doxygen and, consequently, Sphinx gets confused with the
KRB5_RESPONDER_QUESTION_OTP comment layout.
Also, mark the output parameter of krb5_responder_set_answer().
Greg Hudson [Fri, 11 Jan 2013 18:26:37 +0000 (13:26 -0500)]
Simplify KDC host referral code
Remove some unnecessary optimizations to reduce code complexity. Get
rid of krb5_match_config_pattern in favor of a simpler helper function
in do_tgs_req_c. Get rid of KRB5_CONF_ASTERISK and just use "*"
instead. Use a helper function to combine [kdcdefaults] and realm
subsection values of variables, and don't bother adding leading and
trailing spaces. Consistently use the names "hostbased" and
"no_referral" to refer to variable values (with a "realm_" prefix for
structures which currently use it).
Greg Hudson [Fri, 11 Jan 2013 18:15:43 +0000 (13:15 -0500)]
Test multi-value host referral variables
host_based_services and no_host_referral are allowed to have multiple
relations in each place they appear, so alter a couple of the test
cases to exercise that.
Greg Hudson [Fri, 11 Jan 2013 17:25:56 +0000 (12:25 -0500)]
Test KDC host-based referral support
Test the KDC host-based referral support in t_referral.py, using a new
harness to call krb5_get_credentials with a specified server name
type. Also use this new harness for the #7483 regression test, to
avoid relying on an undocumented kvno extension.
Greg Hudson [Fri, 11 Jan 2013 17:17:12 +0000 (12:17 -0500)]
Add k5test support for KDC special environments
Accept environment parameters in the K5Realm start_kdc and
start_kadmind methods, so that krb5kdc or kadmind can be started or
restarted with a modified configuration.
Greg Hudson [Fri, 11 Jan 2013 17:06:37 +0000 (12:06 -0500)]
Clean up k5_locate_server error handling
profile_get_values() cannot return success with an empty list of
values, so don't bother counting them. Return 0 from
locate_srv_conf_1 if no profile values exist and from
dns_locate_server if we decide not to make a SRV query. Adjust
k5_locate_server to match the new helper behavior, and return
KRB5_REALM_UNKNOWN if neither profile nor DNS come up with any answers
(not KRB5_REALM_CANT_RESOLVE, which doesn't make sense now that we're
deferring KDC hostname resolution).
Greg Hudson [Fri, 11 Jan 2013 15:13:25 +0000 (10:13 -0500)]
Fix no_host_referral concatention in KDC
If no_host_referral is set in both [kdcdefaults] and the realm
subsection, we're supposed to concatenate their values. But the logic
in handle_referral_params would overwrite the value with the
non-concatenated realm value. Similar bugs of this nature were fixed
in 639c9d0f5a7c68dc98a2a452abc05ca32443cddf (r22037) but this one was
missed.
Greg Hudson [Thu, 10 Jan 2013 17:43:57 +0000 (12:43 -0500)]
Get rid of adm.h
adm.h predates the ovsec kadm5 integration. It contains a bunch of
obsolete defines and a redundant definition of krb5_realm_params. Get
rid of it, and include <kadm5/admin.h> where we currently include it.
Greg Hudson [Wed, 9 Jan 2013 07:07:05 +0000 (02:07 -0500)]
Fold kadm5 internal policy functions into callers
kadm5_create_policy and kadm5_modify_policy had _internal variants in
libkadm5srv (but not libkadm5clnt) which only existed to protect the
policy_refcnt field from modification over the wire. Now that
policy_refcnt is no longer used, we don't need the separation.
Bump the library soname since this is technically an ABI change.
Greg Hudson [Wed, 9 Jan 2013 00:57:41 +0000 (19:57 -0500)]
Test more policy features
Add tests to t_policy.py for password quality enforcement, password
history (apart from the existing #7099 regression test), and for
references to nonexistent policies.
Greg Hudson [Tue, 8 Jan 2013 20:20:45 +0000 (15:20 -0500)]
Allow principals to refer to nonexistent policies
Stop using and maintaining the policy_refcnt field, and do not try to
prevent deletion of a policy which is still referenced by principals.
Instead, allow principals to refer to policy names which do not exist
as policy objects; treat those principals as having no associated
policy.
In the kadmin client, warn if addprinc or modprinc tries to reference
a policy which doesn't exist, since the server will no longer error
out in this case.
Greg Hudson [Mon, 7 Jan 2013 20:22:26 +0000 (15:22 -0500)]
Stop loading policy for pw_expiration in LDAP
populate_krb5_db_entry() performs a subsidiary LDAP search to load the
password policy, which it uses to update the pw_expiration field.
This has some minimal value (it causes pw_expiration values in
principals to auto-update whenever the pw_max_life field of a policy
changes), but it's complicated, expensive, and inconsistent with the
DB2 back end. Get rid of it.
Zhanna Tsitkov [Wed, 9 Jan 2013 15:36:12 +0000 (10:36 -0500)]
Update release numbers, refs in feature list doc
At the moment the latest release number is 1.11 and the supported releases
are 1.10 and 1.9.
Also, update some references to the documents and fix typos.
Greg Hudson [Wed, 9 Jan 2013 15:21:00 +0000 (10:21 -0500)]
Error on void pointer arithmetic with gcc
Add -Werror=pointer-arith to the gcc warning flags. The equivalent
was added to the Solaris compiler flags in 2dc1ef4078acd7ca463a8eee2ef20de54e672f37 (r21886).
Greg Hudson [Wed, 9 Jan 2013 15:07:27 +0000 (10:07 -0500)]
Fix void pointer arithmetic in oid_ops.c
When asserting that out has advanced the expected number of bytes in
generic_gss_str_to_oid, avoid adding to oid->elements, which is a void
pointer. Instead subtract from out and compare.
Greg Hudson [Thu, 3 Jan 2013 18:47:01 +0000 (13:47 -0500)]
Install pkg-config data files
Add seven data files for pkg-config, corresponding to the five modules
supported by krb5-config. For krb5 and krb5-gssapi, we also provide
mit- versions for callers desiring to distinguish between our
implementation and Heimdal's.
Based on a patch from Stef Walter <stefw@gnome.org>.
Greg Hudson [Thu, 3 Jan 2013 16:07:15 +0000 (11:07 -0500)]
Move krb5-config to new src/build-tools directory
In preparation for adding a bunch of pkg-config data files, move
krb5-config into a new source tree subdirectory containing tools we
provide as outputs to other build systems.
Greg Hudson [Tue, 1 Jan 2013 05:23:43 +0000 (00:23 -0500)]
Fix gss_str_to_oid and gss_oid_to_str edge cases
Neither function correctly handled OIDs whose second arc exceeds 47
(theoretically possible if the first arc is 2). gss_str_to_oid had
additional problems: it used scanf, it didn't consistently protect
against read overrun if the input buffer wasn't null-terminated, and
it could get confused by + or - characters in the first two arcs. Fix
gss_oid_to_str and rewrite gss_str_to_oid.
Greg Hudson [Mon, 31 Dec 2012 22:21:46 +0000 (17:21 -0500)]
Fix a small memory leak in util_errmap
Calls to gssint_mecherrmap_map_errcode would result in calling
mecherror_copy with a zero-length mech OID, which would result in an
OID with 0 for length and malloc(0) for elements. On platforms which
return non-null from malloc(0), gssint_mecherrmap_destroy() wouldn't
free the elements pointer.
Avoid calling malloc(0) and don't use the length field to decide
whether to free an elements pointer.
projects / thirdparty / krb5.git / log
