Greg Hudson [Wed, 21 May 2014 16:03:00 +0000 (12:03 -0400)]
Improve pointer hygiene around gss_display_name
GSSAPI functions are responsible for setting their output parameters
on failure. Take greater care to do so in krb5_gss_display_name.
The mechglue is generally defensive about initializing variables used
as outputs, and not assuming that mechs will set them on failure.
Make gssint_convert_name_to_union_name initialize
union_name->external_name before calling mech->gss_display_name, so
that if the mech's gss_display_name doesn't touch it, we don't free an
uninitialized pointer.
Either one of these changes prevents an unlikely memory bug which
could occur if krb5_gss_init_context fails within
krb5_gss_display_name when called from
gssint_convert_name_to_union_name.
In addition to loading /etc/gss/mech, glob for *.conf files in
/etc/gss/mech.d. Load only config files which have changed since the
highest mtime we saw in the previous scan. Scan at most once per
second to avoid excessive numbers of filesystem syscalls for busy
GSSAPI applications.
Ben Kaduk [Mon, 19 May 2014 20:23:45 +0000 (16:23 -0400)]
Do not default to host/ for client keytabs
When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given. This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.
Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.
Greg Hudson [Tue, 20 May 2014 18:52:44 +0000 (14:52 -0400)]
Add tests for krb5int_c_combine_keys
krb5int_c_combine_keys is used only by SAM-2 preauth with neither the
send-encrypted-sad nor use-sad-as-key flags, so it isn't covered by
any automated function tests. Add some unit tests to make sure that
it works and returns the expected results for two randomly generated
test vectors.
Ken Hornstein [Tue, 20 May 2014 18:50:22 +0000 (14:50 -0400)]
Fix krb5int_c_combine_keys
When krb5int_c_combine_keys was updated to use the new crypto
interface, a small bug was introduced. It turns out the temporary
keyblock created needs to have its enctype set; otherwise, when
krb5int_derive_keyblock() is called later, it will fail with
KRB5_BAD_ENCTYPE.
Greg Hudson [Sun, 18 May 2014 21:57:25 +0000 (17:57 -0400)]
Fix invalid JSON handling in KDC OTP module
If the OTP configuration for a principal contains invalid JSON, the
KDC OTP module calls k5_json_get_tid on a null pointer, causing the
KDC process to crash. Fix this bug by checking the return value of
k5_json_decode in decode_config_json.
Greg Hudson [Sun, 18 May 2014 20:40:35 +0000 (16:40 -0400)]
Fix t_marshal on big-endian platforms
t_marshal.c attempts to skip the version 1 and 2 tests on big-endian
platforms, but didn't do so correctly. Correctly start at version 3
on big-endian platforms, and change the way we do it to avoid
preprocessor conditionals inside a function body.
Greg Hudson [Tue, 6 May 2014 20:56:52 +0000 (16:56 -0400)]
Use cred marshalling functions in cc_keyring.c
Replace the cc_keyring.c credential and principal marshalling
functions with calls to the ccmarshal.c functions. Simplify the
remaining parsing functions (for the index and time offsets) and fold
the resulting code into the calling functions where appropriate.
Greg Hudson [Mon, 5 May 2014 04:06:56 +0000 (00:06 -0400)]
Use cred marshalling functions in cc_file.c
Replace the cc_file.c credential and principal marshalling and
unmarshalling functions with calls to the ccmarshal.c functions. For
unmarshalling, we still need code to read the appropriate amount of
data into a memory buffer. Because there is no outer length header
for principals and credentials, this code needs to understand the
credential and principal representations, but is much simpler than the
old code as it only needs to store the data it reads, not assemble a
data structure.
Greg Hudson [Sun, 4 May 2014 15:57:16 +0000 (11:57 -0400)]
Modernize cc_file.c and cc_keyring.c
Rename functions not to use the krb5_ prefix, and to use the fcc_ or
krcc_ prefixes only for ccache method implementations. Use shorter
function comments and add missing comments in some cases. Remove
forward declarations where they aren't needed. Use native types
(uint16_t, void *, etc.) in preference to Kerberos type wrappers. Use
"ret" as the variable name for krb5_error_code return values. Use 0
instead of KRB5_OK. Make whitespace conform to current practice.
Remove old #if 0 blocks. Don't cast to and from void * or between
integer types when C guarantees an implicit cast. Use literal 2 and 4
for the size of fixed-width 16-bit and 32-bit types.
In cc_file.c, rewrite the header comment to specify the header format
as updated by version 4 and refer to ccmarshal.c for the principal and
credential format. Also add a helper function to return the cache
version as an integer from 1 to 4, allowing more concise version
checks.
Greg Hudson [Tue, 6 May 2014 18:05:53 +0000 (14:05 -0400)]
Add ccache marshalling tests
Add a new ccache test program t_marshal.c which verifies the new
marshalling functions and also the FILE ccache type against the
expected representations of the ccache header, default principal, and
credentials.
Greg Hudson [Mon, 5 May 2014 04:06:38 +0000 (00:06 -0400)]
Add cred marshalling functions
Add a new file ccmarshal.c containing functions to marshal and
unmarshal credentials in file formats version 1-4. These will replace
the functions in cc_file.c and cc_keyring.c, and can be used for KCM
in the future.
Greg Hudson [Mon, 5 May 2014 04:05:54 +0000 (00:05 -0400)]
Add k5-input.h
Add a header containing a declaration for struct k5input and static
inline functions to use it. A k5input structure can be used to safely
extract bytes and integers from a fixed-sized input buffer without
overrunning the buffer. It supports deferred error checking (similar
to k5buf) by returning dummy values and storing a status value in the
input structure.
Greg Hudson [Thu, 8 May 2014 16:14:42 +0000 (12:14 -0400)]
Modernize rd_cred.c
Adjust the internal abstractions so that decrypt_encpart is
responsible for the fallback from receiving subkey to session key, and
krb5_rd_cred is responsible for decoding and calling decrypt_encpart.
Rename krb5_rd_cred_basic to make_cred_list since it is now only
responsible for constructing the list.
Simo Sorce [Mon, 5 May 2014 21:59:08 +0000 (17:59 -0400)]
Allow GSS mechs to force mechlistMIC in SPNEGO
During a SPNEGO negotiation, if the NTLMSSP mechanism is used and a
MIC is produced within the final initiator mechanism token, Microsoft
servers require a mechlistMIC even if NTLMSSP was the most preferred
mechanism.
In spnego_mech.c, add a helper function mech_requires_mechlistMIC
which queries the mechanism to determine whether we might need to
produce a mechlistMIC for interoperability. Call it after each call
to the mechanism's gss_init_sec_context and set sc->mic_reqd if it
returns true. Although only the second call to NTLMSSP will actually
ever return true, the first call makes the mechanism aware that the
SPNEGO implementation supports this feature.
[ghudson@mit.edu: clarified commit message and code]
Neng Xue [Wed, 7 May 2014 21:11:14 +0000 (14:11 -0700)]
Fix unlikely memory error in krb5_rd_cred
If an error occurs in the for loop in krb5_rd_cred_basic (which should
only happen on an ENOMEM), do not leave the caller with a dangling
reference to the freed credential array.
Greg Hudson [Thu, 1 May 2014 22:11:32 +0000 (18:11 -0400)]
Don't remove ccache creds before storing them
Revert #6291, which attempts to suppress duplicate credentials by
calling krb5_cc_remove in krb5_cc_store_cred. Most of our ccache
types don't implement remove_cred, and avoiding duplicate credentials
is a responsibility better suited to the ccache implementation for
atomicity reasons.
Removing this call gets rid of the misleading "Removing ... from ..."
messages in trace logs.
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
We have used awk scripts in preference to the C version of compile_et
since 1994 (r4426). Get rid of the sources for the C version and all
of the Makefile.in references to them.
Tom Yu [Thu, 24 Apr 2014 21:10:58 +0000 (17:10 -0400)]
Refactor KDC option/flag processing
A lot of KDC code was spent copying options to flags, and copying
header_ticket flags to the output ticket.
Behavior change: previous code didn't copy PROXY from the
header_ticket, but this seems to have been a minor bug rather than
intentional. This also seems to have been an omission from RFC 4120.
Tomas Kuthan [Thu, 10 Apr 2014 13:16:06 +0000 (15:16 +0200)]
Check for asprintf failure in kdb5_util create
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead. Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.
Tomas Kuthan [Fri, 11 Apr 2014 13:36:53 +0000 (15:36 +0200)]
In PKINIT, use library initializer for OpenSSL
Use a library initializer to prevent multiple threads using PKINIT
from concurently initializing OpenSSL functions. For cases where
MT-safety is not assured by registering OpenSSL locking callbacks,
this significantly lowers the odds of crashes caused by races in
OpenSSL initialization. (If OpenSSL initialization functions are
called by some other thread directly, crashes are still possible.)
[ghudson@mit.edu: simplify code changes and commit message]
Where we have ATHENA.MIT.EDU stanzas in sample or test krb5.conf files
which define kdc entries, also define a master_kdc entry. Remove
default_domain and v4_instance_convert entries in examples as they are
only needed for krb5/krb4 principal conversions. In the krb5_conf.rst
example, remove enctype specifications as we don't want to encourage
their use when they aren't necessary, and remove a redundant
domain_realm entry.
Tomas Kuthan [Thu, 3 Apr 2014 15:58:43 +0000 (17:58 +0200)]
Remove adb_policy_init and adb_policy_close
Since f72c3ffa the policy is initialized as part of database.
adb_policy_close is now a no-op, and adb_policy_init just makes sure
the database is initialized. adb_policy_init is only called from
kadm5_flush, and only if database initialization was successful
beforehand, rendering this call redundant.
Remove adb_policy_init and adb_policy_close and all their references
in the code and documentation.
Tomas Kuthan [Wed, 2 Apr 2014 15:48:04 +0000 (17:48 +0200)]
Fix leak in kadm5_flush with LDAP KDB
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice. With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.
Greg Hudson [Wed, 26 Mar 2014 17:21:45 +0000 (13:21 -0400)]
Refactor cm functions in sendto_kdc.c
Move get_curtime_ms and the cm functions near the top of the file
right after structure definitions. Except for cm_select_or_poll,
define each cm function separately for poll and for select, since the
implementations don't share much in common. Instead of
cm_unset_write, define cm_read and cm_write functions to put an fd in
read-only or write-only state. Remove the ssflags argument from
cm_add_fd and just expect the caller to make a subsequent call to
cm_read or cm_write. Always select for exceptions when using select.
(Polling for exceptions is implicit with poll).
With these changes, we no longer select/poll for reading on a TCP
connection until we are done writing to it. So in service_tcp_fd,
remove the check for unexpected read events.
Greg Hudson [Fri, 28 Mar 2014 16:33:43 +0000 (12:33 -0400)]
Get getopt from unistd.h (not getopt.h) in tests
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h. In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.
Greg Hudson [Tue, 25 Mar 2014 16:28:05 +0000 (12:28 -0400)]
Fix t_seqstate build with Solaris compiler
The Solaris native compiler (as of version 5.9) outputs code for
static inline functions even if they are not used. So the
k5buf_to_gss helper in gssapiP_generic.h causes t_seqstate to have a
dependency on libkrb5support.
Tomas Kuthan [Wed, 26 Mar 2014 16:04:30 +0000 (17:04 +0100)]
Don't free cred handle used in kadm5 server handle
At the end of setup_gss(), gss_client_creds is released, but an alias
to the credential handle is saved in kadm5_server_handle_t in
handle->clnt->cl_auth->(struct rpc_gss_data *)ah_private->sec.cred.
Accessing these credentials (by authgss_refresh) can result in use
after free.
This fix stores credential reference in server handle and releases
the credentials in kadm5_destroy.
[ghudson@mit.edu: initialize handle->cred to correct constant; get rid
of gss_client_creds variable; clarify commit message slightly]
Greg Hudson [Fri, 21 Mar 2014 22:07:41 +0000 (18:07 -0400)]
Improve salt type display in kadmin getprinc
In krb5_salttype_to_string, output the salt type name we would
recognize as input.
In the output of getprinc, display the enctype and salt type in a form
we would accept--either enctype:salttype if the salt type is not the
default, or just the enctype if it is.
Update t_mkey.py and t_salt.py to expect the new output format.
Update documentation examples to show the new format.
Greg Hudson [Tue, 25 Mar 2014 14:52:38 +0000 (10:52 -0400)]
Modernize default_state.c
Use alloc_data() and empty_data() where appropriate. Keep mainline
logic to the left where possible. Name the output parameter of
krb5int_des_init_state with an _out suffix. Use a professional tone
in comments. Partly based on a patch from Alok Menghrajani.
Greg Hudson [Tue, 25 Mar 2014 02:42:02 +0000 (22:42 -0400)]
Use anonymous OIDs in pkinit_crypto_openssl.c
Stop adding OIDs to the global OpenSSL table. It isn't thread-safe
(even with locking callbacks registered), and calling OBJ_cleanup
could break other uses of OpenSSL. Instead, use anonymous OIDs
created with OBJ_txt2oid. Anonymous OIDs need to be managed more
careful to avoid double-freeing, so create a copy before calling
PKCS7_add_signed_attribute, and don't free the result of
pkinit_pkcs7type2oid in cms_contentinfo_create.
Greg Hudson [Mon, 24 Mar 2014 22:26:50 +0000 (18:26 -0400)]
Stop shadowing id-pkcs7-data OID
pkinit_crypto_openssl.c currently creates a shadow entry for
id-pkcs7-data so that OpenSSL will expect to see the corresponding
octet string in d.other instead than d.data. This shadowing is very
unfriendly to other uses of OpenSSL and we should stop. Eliminate the
shadowing and rewrite create_contentinfo so that it sets up the PKCS7
object correctly if the OID is id-pkcs7-data.
Will Fiveash [Fri, 21 Mar 2014 16:46:08 +0000 (12:46 -0400)]
Fix a harmless DNS glue macro bug
The definition of SAFE_GETUINT16 mistakenly uses "p" instead its ptr
parameter in three places, which happens to work because all current
invocations of the macro use "p" as the ptr argument. Fix it to
correctly use the ptr parameter.
Nalin Dahyabhai [Sat, 8 Feb 2014 01:14:24 +0000 (20:14 -0500)]
Make use of strtoul() unconditional in locate_kdc
When parsing port numbers, we previously attempted to conditionalize use
of strtoul() on whether or not it was available, falling back to atoi()
instead, but we did so in a way that would always fall back to using
atoi(). We also call strtoul() from elsewhere without that condition,
so we don't gain anything by trying to be careful about it here.
Nalin Dahyabhai [Wed, 9 Oct 2013 19:03:16 +0000 (15:03 -0400)]
Don't check kpasswd reply address
Don't check the address of the kpasswd server when parsing the reply
we received from it. If the server's address was modified by a proxy
or other network element, the user will be incorrectly warned that the
password change failed when it succeeded. The check is unnecessary as
the kpasswd protocol is not subject to a reflection attack.
Will Fiveash [Wed, 19 Mar 2014 21:48:15 +0000 (16:48 -0500)]
Always stat profile files after reopening them
Some applications write a profile file and then immediately use it via
a krb5_context. If we have a cached copy of the profile we wrote,
make sure to update it by forcing a stat when we reuse an existing
prf_data_t object.
Nalin Dahyabhai [Tue, 18 Mar 2014 20:39:47 +0000 (16:39 -0400)]
Try compatible keys in rd_req_dec "any" path
When we go to decrypt a ticket using a keytab, we have two code paths.
In the first (traditional) one, we try to read an entry that exactly
matches the principal name, enctype, and kvno from the ticket, and then
attempt to decrypt the ticket using the entry's key. The keytab
routines helpfully return an entry so long as it's of a key type that's
compatible with the ticket being decrypted, fixing up the enctype in the
entry structure while doing so, allowing us to decrypt a DES-CBC-CRC
ticket with a DES-CBC-MD5 key.
In the second code path, we try the key of every entry which loosely
matches the principal name from the ticket and which exactly matches its
enctype, meaning that the ticket/keytab pair above won't work if the
principal name is one which suggests we shouldn't be matching entries
exactly.
This change modifies the "any" path to also try to decrypt the ticket
with compatible keys.
[ghudson@mit.edu: avoid stuffing too much logic in one conditional]
Nalin Dahyabhai [Thu, 20 Feb 2014 21:01:49 +0000 (16:01 -0500)]
Fix returning KDB_NOENTRY in find_alternate_tgs()
After searching for a cross-realm TGS entry to provide to a client as a
referral, if we're all set to return a success code but aren't actually
returning an entry, we should be returning an error. We might not do so
because we don't compare the right value against NULL.
This corrects an error in a redundant check in the patch for
CVE-2013-1417. The error in the check cannot occur in practice
because the other part of the patch for CVE-2013-1417 prevents it, but
static analyzers can flag the erroneous check.
Greg Hudson [Fri, 14 Mar 2014 16:53:50 +0000 (12:53 -0400)]
Improve PKINIT client memory management
In pkinit_as_req_create, create and encode stack-allocated auth-pack
structures containing only alias pointers, instead of heap-allocated
structures containing a mix of alias pointers, owner pointers, and
appropriated caller memory. Keep everything we temporarily allocate
in separate local variables and free them through those variables.
In pa_pkinit_gen_req, use safer memory practices to avoid problems
like issue #7878. Free the checksum since pkinit_as_req_create no
longer takes ownership it. Remove a broken overly defensive check
after calling pkinit_as_req_create.
Remove init_krb5_auth_pack and init_krb5_auth_pack_draft9 as they are
no longer required.
Greg Hudson [Thu, 13 Mar 2014 22:34:22 +0000 (18:34 -0400)]
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
Greg Hudson [Wed, 12 Mar 2014 16:13:08 +0000 (12:13 -0400)]
Rewrite GSS sequence state tracking code
Replace util_ordering.c with a new file util_seqstate.c, implemented
using a bitmap of previously received sequence numbers instead of a
20-element circular queue. This approach has slightly different
limitations--it can check for replays for values within 64 of the
expected next number, where the old code could check within the range
of the last 20 received numbers regardless of how far apart they are.
The new approach should work as well or better for any realistic
packet reordering scenario.
Greg Hudson [Tue, 11 Mar 2014 03:01:40 +0000 (23:01 -0400)]
Improve internal API for GSS sequence numbers
Use an opaque structure type instead of a void pointer for the
sequence number state. Rename all functions to use a g_seqstate
prefix rather than a mix of g_order and g_queue. Remove the
unneccessary indirection from the state object parameter in
g_seqstate_check and g_seqstate_free. Return OM_uint32 where we
return a GSS major code, long where we return an errno value, and void
where we can't fail.
Tomas Kuthan [Thu, 6 Mar 2014 12:05:24 +0000 (13:05 +0100)]
Fix GSS krb5 initial sequence number gap handling
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order. Properly
detect when a sequence number fits between the dummy element and the
first real queue element.
Nalin Dahyabhai [Tue, 11 Mar 2014 17:33:23 +0000 (13:33 -0400)]
Don't leak the per-request preauth context
Currently, per-request preauth module data is only cleared when we
successfully obtain initial credentials. Make sure to clear it at the
end of the operation even if we failed to get creds.
Nalin Dahyabhai [Mon, 17 Feb 2014 22:14:20 +0000 (17:14 -0500)]
Fix memory leak in krb5_verify_init_creds
When copying most of the credentials from one cache to another in
copy_creds_except (called from get_vfy_cred, from
krb5_verify_init_creds), we need to free all of the credentials that
we read, not just the ones we copied.
Nalin Dahyabhai [Tue, 11 Mar 2014 17:26:32 +0000 (13:26 -0400)]
Initialize err variable in krb5_sendto_kdc
When we get an KRB5_KDC_UNREACH error back from k5_sendto, we check if
the err variable we passed for use by our message handler has been set
to KDC_ERR_SVC_UNAVAILABLE. If k5_sendto doesn't receive any
response, though, the handler isn't called, so we're reading an
uninitialized variable. Initialize it to a value other than
KDC_ERR_SVC_UNAVAILABLE to be sure.
[ghudson@mit.edu: initialize err just before calling k5_sendto; edit
commit message]
Greg Hudson [Fri, 7 Mar 2014 15:37:48 +0000 (10:37 -0500)]
Update iprop_master_ulogsize documentation
When we removed the maximum number of ulog entries (#7368), we did not
update the documentation for that parameter in kdc.conf. Reported by
Richard Basch.
Greg Hudson [Sat, 1 Mar 2014 05:35:50 +0000 (00:35 -0500)]
Improve extended gic option support
The current extended gic option facility violates strict aliasing, is
not nestable (gic_opt_to_opte cannot be used on an extended options
structure casted back to krb5_get_init_creds_options), and requires
callers to use error-prone conversion functions.
Rewrite this code to use a new structure private to gic_opt.c, which
contains a krb5_get_init_creds_opt structure as its first member. We
can cast between the extended structure and its first element without
violating strict aliasing (C99 6.7.2.1 paragraph 13 and the aggregate
type clause of 6.5 paragraph 7). Define internal accessor functions
for the extended option fields. Replace all uses of krb5_gic_opt_ext
in callers with krb5_get_init_creds_opt and the new accessors. Bring
krb5_get_init_creds_opt_set_pa back into gic_opt.c (reverting faa810c5b59fa33d9f7db837c5bb88df5436bb30) so that all of the code
which accesses the extended options structure can be in one file.
Greg Hudson [Fri, 28 Feb 2014 19:49:35 +0000 (14:49 -0500)]
Use preauth options when changing password
If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.
Jeff D'Angelo [Fri, 28 Feb 2014 14:47:30 +0000 (09:47 -0500)]
Correct docs for "kdb5_util load" switches
Remove obsolete parenthetical statement in the description of the
"-update" switch to "kdb5_util load". Using the "-update" flag to
load a second dump made using the "-ov" switch is no longer necessary
now that the "-r13" format is the default. Add statement that the
"-b7" dump format was the default for versions prior to 1.2.2 (to
match the statement from "dump" section).
Tom Yu [Thu, 27 Feb 2014 20:46:00 +0000 (15:46 -0500)]
Missing type refs in docs due to stdint.h changes
References to krb5_int16.rst and krb5_ui_2.rst were missing, but
recently began causing sphinx-build errors because Doxygen started
generating them after the stdint.h changes.
Greg Hudson [Sun, 23 Feb 2014 16:28:44 +0000 (11:28 -0500)]
In kdb5_util dump, only lock DB for iprop dumps
Revert #7384, as there are no longer policy refcounts. For iprop
dumps we want to make sure that the reported serial number matches the
DB state (although we could perhaps relax that requirement with enough
analysis), but for non-iprop dumps we don't need any transactional
guarantees.
Also use the correct constant name for the locking mode (the numeric
value is the same, fortunately), and only unlock the database if we
successfully locked it.
Greg Hudson [Sat, 1 Feb 2014 20:59:21 +0000 (15:59 -0500)]
Stop generating gssapi_krb5.h
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts. Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
Greg Hudson [Sat, 1 Feb 2014 20:20:08 +0000 (15:20 -0500)]
Assume <stdint.h> and fixed-width types
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
Greg Hudson [Sat, 22 Feb 2014 20:58:03 +0000 (15:58 -0500)]
Minimize race conditions in t_iprop.py
Augment kpropd's debugging output so we can see the starting and
ending serial numbers of a sync, and check them in t_iprop.py's
wait_for_prop to make sure we're observing the correct sync each time.
Try to make sure we only send SIGUSR1 when kpropd is actually
sleeping, by waiting for it to print its pre-sleep message to stderr
after a full dump and after each sync. This isn't perfect, as there
is a short window between printing to stderr and actually sleeping,
but we can't do any better until kpropd has a more reliable mechanism
for triggering immediate updates.
Tom Yu [Tue, 25 Feb 2014 22:35:35 +0000 (17:35 -0500)]
Avoid duplicate "/etc/krb5.conf" in profile path
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
Greg Hudson [Mon, 27 Jan 2014 17:50:12 +0000 (12:50 -0500)]
Test iprop slave ulog management
Check the ulog more thoroughly after each operation, including the
principal names we expect in each update entry. Verify that the slave
ulog contains actual update entries received from master. Add a
second slave which receives updates from the first. Test a wider
variety of principal operations. Add two additional operations after
the full resync to test that incremental updates resume after a full
resync (albeit with some lag).
Greg Hudson [Mon, 27 Jan 2014 03:18:18 +0000 (22:18 -0500)]
Implement kpropd -A
The -A option causes kpropd to contact a specified admin server
(normally an intermediate slave running kadmind -proponly) instead of
the master admin server.
Greg Hudson [Sun, 26 Jan 2014 23:11:56 +0000 (18:11 -0500)]
Implement kadmind -proponly
The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Greg Hudson [Sat, 25 Jan 2014 19:40:41 +0000 (14:40 -0500)]
Maintain complete ulog on iprop slaves
Factor out most of ulog_add_update into a helper function named
store_update, and make ulog_add_update just responsible for assigning
a serial number and timestamp to the update before storing it. In
ulog_replay, use store_update and ulog_finish_update to add each
update to the ulog in addition to replaying it to the database. Don't
use incr_ret->lastentry to set kdb_last_sno/kdb_last_time, since it
will have been set properly by adding the individual updates; instead,
just reinitialize the ulog on error.
Slave ulogs use serial numbers provided from upstream, and thus do not
always begin at serial number 1 after a header reset. As a result, we
must: (A) in store_update, detect the first update (for which we must
assign kdb_first_sno/kdb_first_time) by comparing kdb_num to 0,
instead of by comparing the serial number to 1; (B) in store_update,
detect that we are overwriting the first update by comparing kdb_num
to ulogentries, instead of comparing the serial number to ulogentries;
and (C) in ulog_map, detect that ulogentries changed by verifying the
first and last serial number and timestamp against the actual ulog
entries, rather than simply comparing kdb_last_sno to kdb_num.
Greg Hudson [Fri, 24 Jan 2014 21:52:47 +0000 (16:52 -0500)]
Simplify ulog_map
Get rid of the caller parameter. The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog. With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.
Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.
Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis. If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file. Remove an unneeded conditional before
calling extend_file_to for an existing ulog.
Greg Hudson [Thu, 23 Jan 2014 16:34:52 +0000 (11:34 -0500)]
Lock around more ulog operations
Always lock the ulog when accessing it. We can currently get away
with some laxness on iprop slaves because they are mostly synchronous,
but hierarchical iprop will allow master and slave operations to take
place concurrently, requiring more strict locking.
Add new functions ulog_get_last and ulog_set_last, which access the
ulog header with locking, and use them in kdb5_util and kpropd. Add
locking to ulog_replay and ulog_init_header.
ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c
after these changes, so make them static functions and remove the
ulog_ prefix. Add an unlock_ulog function for clarity.
Greg Hudson [Mon, 20 Jan 2014 23:46:52 +0000 (18:46 -0500)]
Factor out ulog serial number status check
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
Greg Hudson [Thu, 13 Feb 2014 00:13:43 +0000 (19:13 -0500)]
Simplify iprop update locking and avoid deadlock
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
Greg Hudson [Tue, 18 Feb 2014 06:14:01 +0000 (01:14 -0500)]
Use system dictionary for db2 tests again
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
Greg Hudson [Mon, 17 Feb 2014 05:18:41 +0000 (00:18 -0500)]
Use TAILQ macros instead of CIRCLEQ in libdb2
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
Zhanna Tsitkov [Mon, 23 Dec 2013 14:23:54 +0000 (09:23 -0500)]
Make KDC "status" statements more homogeneous
Generally we want KDC status strings to be concise, informative and follow
some common rules:
- All letters in the status string should be capitalized;
- the words in the status phrase are separated by underscore;
- abbreviations should be avoided. Some acceptable "standard" acronyms
are AS_REQ, TGS_REP etc.
- since in almost all cases KDC status is set on error, no need
to state this fact as part of the status string;
- KDC status string should be an imperative phrase.
For example, "DECRYPT_SERVER_KEY".
This commit is to modify some KDC status messages to follow this format.
Even though KDC status messages are not standardized, it is possible that some
administrators use them in the Kerberos log file processing. Hence, the vast
majority of them are left unchanged pending further investigation (mostly,
feedback from the administrators).
Nate Rosenblum [Mon, 23 Dec 2013 21:21:44 +0000 (13:21 -0800)]
Support referrals from Windows Server 2003
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests. Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.
[tlyu@mit.edu: style, comments, and commit message]
Greg Hudson [Wed, 12 Feb 2014 03:16:56 +0000 (22:16 -0500)]
Don't use system dictionary files for DB2 tests
The system dictionary may contain entries with punctuation, which can
confuse the shell. It's more predictable to always use the word list
from the source tree.
Greg Hudson [Wed, 12 Feb 2014 01:00:51 +0000 (20:00 -0500)]
Fix SAM-2 preauth when password argument is used
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.
projects / thirdparty / krb5.git / log
