Will Fiveash [Tue, 1 Jul 2008 00:43:05 +0000 (00:43 +0000)]
Talked with MIT people and decided to revert the logic of
krb5_db_def_fetch_mkey_keytab() so that it does use the mkey princ arg to locate the masterkey in the keytab stash. Also changed the error reporting done by krb5_db_def_fetch_mkey() to call error_message() on the return code of the keytab stash fetch and the old format stash fetch and set the error message to include both of those since this is an ambiguous situation. And test case 108 in src/kerberos/mit/svn/branches/mkey_keytab/src/lib/kadm5/unit-test/api.2/init-v2.exp was modified to expect KRB5_KDB_CANTREAD_STORED instead of KDB_NOMASTERKEY.
Will Fiveash [Fri, 27 Jun 2008 22:03:37 +0000 (22:03 +0000)]
The logic of the krb5_db_def_fetch_mkey_keytab() was off a bit when checking the keys against specified kvno and enctypes. The code now correctly check for either kvno, enctype or both if specified
Will Fiveash [Wed, 25 Jun 2008 23:04:44 +0000 (23:04 +0000)]
Masterkey Keytab Stash
This ticket is to track code changes for the Masterkey Keytab Stash project. The Krb Consortium page is:
http://k5wiki.kerberos.org/wiki/Projects/Masterkey_Keytab_Stash
Ken Raeburn [Mon, 2 Jun 2008 19:45:16 +0000 (19:45 +0000)]
Change krb5_context.db_context to point to the real structure type,
and change uses to not cast all the time. Also rename it from
db_context to dal_handle, since one of the fields in the pointed-to
structure is also called db_context.
Commit of Apple PKINIT patches under "APPLE_PKINIT" preprocessor symbol.
Long term goal is to merge these patches with the pkinit preauth plugin which
does not currently have support for Mac OS X crypto libraries or the exported
functions used by Back To My Mac.
Warnings in server_stubs.c (signed vs unsigned errmsg, gcc printf)
server_stubs.c uses char * for error messages which it gets from com_err,
throwing away the constness of the com_err output. Made error message args
be const char * to remove warnings and prevent accidental modification of
com_err strings.
In calls to krb5_klog_syslog server_stubs.c passes void* into %s printf
formats and passes size_ts in for the field widths in %.*s formats. After
verifying that the size_ts cannot be bigger than ints (which is ensured by
trunc_name) added casts to remove spurious warnings.
load and store functions in k5-platform.h take an unsigned char *, whereas
kdb_xdr.c was using a char * for decoding. This resulted in pages of warnings
in the parsing code. Switched to using an unsigned char * and cast in the
couple places where a char * is needed.
Profile library should not call rw_access earlier than needed
Call rw_access lazily so we only call access just before we need to
write to the file to avoid calling access as often. Deprecated bit in
profile structures to track writability.
Ken Raeburn [Wed, 30 Apr 2008 23:46:29 +0000 (23:46 +0000)]
(more) After malloc/realloc/calloc/strdup/asprintf failures, use
ENOMEM explicitly instead of reading it from errno. This may make
static analysis tools less confused about when we return zero vs
nonzero values.
Ken Raeburn [Wed, 30 Apr 2008 23:18:21 +0000 (23:18 +0000)]
After malloc/realloc/calloc failures, return ENOMEM explicitly instead
of reading it from errno. This may make static analysis tools less
confused about when we return zero vs nonzero values.
The LDAP plugin introduced a new man page which has unescaped hyphens.
Unicode-aware groffs may convert those to real hyphens rather than
the intended ASCII hyphen. This patch adds backslashes in front of
all the bare hyphens that I plus Debian's lintian program could find
to force interpretation as ASCII hyphens.
Ticket: new
Component: krb5-doc
Version_Reported: 1.6.3
Target_Version: 1.6.4
Tags: pullup
Ken Raeburn [Fri, 25 Apr 2008 18:17:29 +0000 (18:17 +0000)]
Multiple assignments without sequence points invoke undefined
behavior, even if the assignments all compute and store the same
value. Don't put an assignment in the argument to macro ff().
Ken Raeburn [Fri, 18 Apr 2008 19:31:47 +0000 (19:31 +0000)]
fix possible buffer overrun in handling generic-error return
Jeff Altman reported this, based on a crash seen in KfW in the wild.
The krb5_data handle used to describe the message field returned by the KDC is
not null-terminated, but we use a "%s" format to incorporate it into an error
message string. In the right circumstances, garbage bytes can be pulled into
the string, or a memory fault may result.
However, as this is in the error-reporting part of the client-side code for
fetching new credentials, it's a relatively minor DoS attack only, not a
serious security exposure. Should be fixed in the next releases, though.
Ken Raeburn [Thu, 3 Apr 2008 18:00:38 +0000 (18:00 +0000)]
Pull out generic array expansion code from array_append macro into a
separate function. Add some range checks, and don't bother separating
malloc vs realloc depending on previous pointer value.
CFBundles are refcounted and the recounts are not threadsafe.
Protect CFBundles used for loading bundled plugins with a
mutex to prevent crashes when multiple threads are loading
and unloading the same plugin.
As part of this we use thread-safe dlopen/dlsym/dlclose
for the actual loading and unloading and just use CFBundle
to get the path to the actual executable. This reduces
the number of places we need to wrap CFBundles with mutexes
and the amount of Mac-specific code in the plugin code.
Ken Raeburn [Tue, 18 Mar 2008 18:55:26 +0000 (18:55 +0000)]
MITKRB5-SA-2008-002
Fix MITKRB5-SA-2008-002: array overrun in libgssrpc.
Don't update the internally-tracked maximum file descriptor value if
the new one is FD_SETSIZE (or NOFILE) or above. Reject TCP file
descriptors of FD_SETSIZE (NOFILE) or above.
cc_ccache_iterator_release, cc_credentials_iterator leak server memory
cc_ccache_iterator_release and cc_credentials_iterator leak memory on the
CCacheServer because they do not send an ipc message to the server telling it
to free up resources associated with the iterator.
Note: this issue does not track needing to be able to free up these same
resources when the client crashes.
Invalid assignment while trying to set input to NULL
cc_seq_fetch_NCs_end and cc_seq_fetch_creds_end should try to set their
iterator inputs to NULL. Fixed code to assign the inputs to NULL rather
than the temporary variables. (Not sure why the previous code was
even compiling on the Mac.)
cc_context_get_version was part of the original CCAPI v3 documentation but was
never actually implemented. Now that it has been removed from the documentation
we should remove the test.
cc_set_principal should return error on bad cred version
When the caller passes in a version different than the one the ccache
was opened with, cc_set_principal should return CC_ERR_CRED_VERSION
because "cred_vers is used as a double check".
cc_seq_fetch_NCs_end incorrectly casts from CCAPI v2 to CCAPI v3 types.
Cleaned up cc_seq_fetch_creds_end at the same time (it was correct but
difficult to read).
CCAPI v2 support crash when client or server strings are NULL
The CCAPI v2 support will crash if passed in a krb5 credential with
the client or server principal strings set to NULL. Since CCAPI v3+
support checks for this we should check in CCAPI v2.
Kevin Koch [Fri, 29 Feb 2008 19:08:06 +0000 (19:08 +0000)]
lib/win/Makefile.in: Added
ccutils.c, ccapi_os_ipc.cxx, ccs_reply_proc.c, ccs_os_server.cpp, ccs_reply_proc.c, ccs_win_pipe.c: comment out some debug messages.
test/Makefile.in: change which tests are built.
test/test_ccapi_context.c: API version 2 is now expected to pass.
test/test_ccapi_iterators.c: Add progress indicator for long tests.
krb5int_arcfour_string_to_key does not support utf-8 strings
krb5int_arcfour_string_to_key converts C strings to UTF-16 before passing
them to the string to key function. Currently the UTF-16 conversion assumes
the input string is ASCII only.
Added support to convert UTF-8 strings to UTF-16 on Mac OS X. Leaving the
bug open until we discuss if we want to have implementations for Unix and
Windows platforms.
Kevin Koch [Tue, 19 Feb 2008 15:22:13 +0000 (15:22 +0000)]
Changes to integrate the CCAPI build into the build structure, build the test suite and fixes to random problems discovered along the way
Since no platform other than windows builds CCAPI using the build system, some conditionalizing may be necessary when other platforms use the makefiles.
src/Makefile.in: Add CPPFLAGS that seemed to be missing; run wconfig for ccapi/(lib, server, test).
config/win-pre.in: DEBUGOPT /ZI doesn't seem to provide enough debugging information under VS2005; /Zi does.
windows/build/bkw.pl: Fix -no<switch> so that -nonodebug will work. Otherwise, can't do debug build.
Move Get/PutTspData out of dllmain; add tlsindex argument.
Russ Allbery [Tue, 19 Feb 2008 04:49:11 +0000 (04:49 +0000)]
man page macro and hyphen fixes
Fix various unescaped hyphens, lines starting with . that shouldn't be
macros, undefined strings, and misspelled macros in the man pages.
Found via man --warnings on a current Debian unstable system.
ticket: new
component: krb5-doc
Version_Reported: 1.6.3
Target_Version: 1.6.4
Tags: pullup
Tom Yu [Thu, 7 Feb 2008 07:07:06 +0000 (07:07 +0000)]
more tests for libdb btree page split on zero index
Enhance btree debugging output somewhat to limit key printout to the
key length if the key is not null-terminated.
Add additional test case for the zero-index page split bug; test case
can create a corrupted btree database with records unreachable by
random access but reachable by sequential access. Requires
recompiling with CPPFLAGS='-DDEBUG -DDEBUG_IDX0SPLIT' to correctly
model mpool page reuse that would be present in production conditions.
(CPPFLAGS=-DDEBUG would otherwise explicitly overwrite the contents of
reused pages.)
ticket: new
target_version: 1.6.4
tags: pullup
component: krb5-kdc
Tom Yu [Fri, 1 Feb 2008 01:03:11 +0000 (01:03 +0000)]
libdb btree page split on zero index corrupts db
Splitting a btree page on index 0 can corrupt the database if the key
length plus data length is exactly a certain value. This certain size
causes the item to get the left page to itself, and causes the right
page to contain an erroneous additional index "hole" having an
uninitialized value. This bug may be one of the remaining causes of
unexplained database corruption reported over the years. Shawn Emery
provided useful data from actual instances of this corruption.
Add a test case for this bug. (Raw libdb test rather than kdb; the
latter would be much harder.)
ticket: new
target_version: 1.6.4
tags: pullup
component: krb5-kdc
Jeffrey Altman [Wed, 23 Jan 2008 22:10:56 +0000 (22:10 +0000)]
Windows: avoid use of cygwin mkdir and rmdir commands
Microsoft's nmake versions 8.x and 9.x prefer executables over
internal shell commands. This is a change from previous versions.
Cygwin's mkdir and rmdir commands do not have the same semantics
as the cmd.exe shell versions.
Change the definitions of MKDIR and RMDIR to use 'md' and 'rd'
in order to avoid the use of the cygwin versions.
projects / thirdparty / krb5.git / log
