Tom Yu [Thu, 27 Feb 2014 20:46:00 +0000 (15:46 -0500)]
Missing type refs in docs due to stdint.h changes
References to krb5_int16.rst and krb5_ui_2.rst were missing, but
recently began causing sphinx-build errors because Doxygen started
generating them after the stdint.h changes.
Greg Hudson [Sun, 23 Feb 2014 16:28:44 +0000 (11:28 -0500)]
In kdb5_util dump, only lock DB for iprop dumps
Revert #7384, as there are no longer policy refcounts. For iprop
dumps we want to make sure that the reported serial number matches the
DB state (although we could perhaps relax that requirement with enough
analysis), but for non-iprop dumps we don't need any transactional
guarantees.
Also use the correct constant name for the locking mode (the numeric
value is the same, fortunately), and only unlock the database if we
successfully locked it.
Greg Hudson [Sat, 1 Feb 2014 20:59:21 +0000 (15:59 -0500)]
Stop generating gssapi_krb5.h
We started generating gssapi_krb5.h from gssapi_krb5.hin when we
needed to use a 64-bit type for lucid contexts. Since we can now
assume a standard name for 64-bit types, we can stop generating the
header.
Greg Hudson [Sat, 1 Feb 2014 20:20:08 +0000 (15:20 -0500)]
Assume <stdint.h> and fixed-width types
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
Greg Hudson [Sat, 22 Feb 2014 20:58:03 +0000 (15:58 -0500)]
Minimize race conditions in t_iprop.py
Augment kpropd's debugging output so we can see the starting and
ending serial numbers of a sync, and check them in t_iprop.py's
wait_for_prop to make sure we're observing the correct sync each time.
Try to make sure we only send SIGUSR1 when kpropd is actually
sleeping, by waiting for it to print its pre-sleep message to stderr
after a full dump and after each sync. This isn't perfect, as there
is a short window between printing to stderr and actually sleeping,
but we can't do any better until kpropd has a more reliable mechanism
for triggering immediate updates.
Tom Yu [Tue, 25 Feb 2014 22:35:35 +0000 (17:35 -0500)]
Avoid duplicate "/etc/krb5.conf" in profile path
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
Greg Hudson [Mon, 27 Jan 2014 17:50:12 +0000 (12:50 -0500)]
Test iprop slave ulog management
Check the ulog more thoroughly after each operation, including the
principal names we expect in each update entry. Verify that the slave
ulog contains actual update entries received from master. Add a
second slave which receives updates from the first. Test a wider
variety of principal operations. Add two additional operations after
the full resync to test that incremental updates resume after a full
resync (albeit with some lag).
Greg Hudson [Mon, 27 Jan 2014 03:18:18 +0000 (22:18 -0500)]
Implement kpropd -A
The -A option causes kpropd to contact a specified admin server
(normally an intermediate slave running kadmind -proponly) instead of
the master admin server.
Greg Hudson [Sun, 26 Jan 2014 23:11:56 +0000 (18:11 -0500)]
Implement kadmind -proponly
The -proponly option causes kadmind to only service the iprop service,
not the kpasswd or kadmin services. An intermediate slave in a
hierarchical iprop setup runs kadmind -proponly in order to provide
incremental updates to downstream slaves.
Greg Hudson [Sat, 25 Jan 2014 19:40:41 +0000 (14:40 -0500)]
Maintain complete ulog on iprop slaves
Factor out most of ulog_add_update into a helper function named
store_update, and make ulog_add_update just responsible for assigning
a serial number and timestamp to the update before storing it. In
ulog_replay, use store_update and ulog_finish_update to add each
update to the ulog in addition to replaying it to the database. Don't
use incr_ret->lastentry to set kdb_last_sno/kdb_last_time, since it
will have been set properly by adding the individual updates; instead,
just reinitialize the ulog on error.
Slave ulogs use serial numbers provided from upstream, and thus do not
always begin at serial number 1 after a header reset. As a result, we
must: (A) in store_update, detect the first update (for which we must
assign kdb_first_sno/kdb_first_time) by comparing kdb_num to 0,
instead of by comparing the serial number to 1; (B) in store_update,
detect that we are overwriting the first update by comparing kdb_num
to ulogentries, instead of comparing the serial number to ulogentries;
and (C) in ulog_map, detect that ulogentries changed by verifying the
first and last serial number and timestamp against the actual ulog
entries, rather than simply comparing kdb_last_sno to kdb_num.
Greg Hudson [Fri, 24 Jan 2014 21:52:47 +0000 (16:52 -0500)]
Simplify ulog_map
Get rid of the caller parameter. The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog. With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.
Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.
Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis. If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file. Remove an unneeded conditional before
calling extend_file_to for an existing ulog.
Greg Hudson [Thu, 23 Jan 2014 16:34:52 +0000 (11:34 -0500)]
Lock around more ulog operations
Always lock the ulog when accessing it. We can currently get away
with some laxness on iprop slaves because they are mostly synchronous,
but hierarchical iprop will allow master and slave operations to take
place concurrently, requiring more strict locking.
Add new functions ulog_get_last and ulog_set_last, which access the
ulog header with locking, and use them in kdb5_util and kpropd. Add
locking to ulog_replay and ulog_init_header.
ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c
after these changes, so make them static functions and remove the
ulog_ prefix. Add an unlock_ulog function for clarity.
Greg Hudson [Mon, 20 Jan 2014 23:46:52 +0000 (18:46 -0500)]
Factor out ulog serial number status check
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
Greg Hudson [Thu, 13 Feb 2014 00:13:43 +0000 (19:13 -0500)]
Simplify iprop update locking and avoid deadlock
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
Greg Hudson [Tue, 18 Feb 2014 06:14:01 +0000 (01:14 -0500)]
Use system dictionary for db2 tests again
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
Greg Hudson [Mon, 17 Feb 2014 05:18:41 +0000 (00:18 -0500)]
Use TAILQ macros instead of CIRCLEQ in libdb2
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
Zhanna Tsitkov [Mon, 23 Dec 2013 14:23:54 +0000 (09:23 -0500)]
Make KDC "status" statements more homogeneous
Generally we want KDC status strings to be concise, informative and follow
some common rules:
- All letters in the status string should be capitalized;
- the words in the status phrase are separated by underscore;
- abbreviations should be avoided. Some acceptable "standard" acronyms
are AS_REQ, TGS_REP etc.
- since in almost all cases KDC status is set on error, no need
to state this fact as part of the status string;
- KDC status string should be an imperative phrase.
For example, "DECRYPT_SERVER_KEY".
This commit is to modify some KDC status messages to follow this format.
Even though KDC status messages are not standardized, it is possible that some
administrators use them in the Kerberos log file processing. Hence, the vast
majority of them are left unchanged pending further investigation (mostly,
feedback from the administrators).
Nate Rosenblum [Mon, 23 Dec 2013 21:21:44 +0000 (13:21 -0800)]
Support referrals from Windows Server 2003
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests. Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.
[tlyu@mit.edu: style, comments, and commit message]
Greg Hudson [Wed, 12 Feb 2014 03:16:56 +0000 (22:16 -0500)]
Don't use system dictionary files for DB2 tests
The system dictionary may contain entries with punctuation, which can
confuse the shell. It's more predictable to always use the word list
from the source tree.
Greg Hudson [Wed, 12 Feb 2014 01:00:51 +0000 (20:00 -0500)]
Fix SAM-2 preauth when password argument is used
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.
Greg Hudson [Mon, 10 Feb 2014 20:26:34 +0000 (15:26 -0500)]
Correctly get default realm in kdb5.c
Call krb5_get_default_realm instead of directly accessing
context->default_realm, to remove the requirement that
krb5_get_default_realm or krb5_set_default_realm be used before
krb5_db_open.
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
Greg Hudson [Tue, 4 Feb 2014 01:59:54 +0000 (20:59 -0500)]
Test SPNEGO acceptor response to MS krb5 mech OID
In t_spnego.c, add code to make a SPNEGO request with the erroneous
Microsoft OID value and examine the response to make sure that it uses
the same OID value as the request did. The token and tmp variables
were unused, so rename them to itok and atok for the purpose of the
new test code.
Greg Hudson [Tue, 4 Feb 2014 02:11:34 +0000 (21:11 -0500)]
Properly reflect MS krb5 mech in SPNEGO acceptor
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context. The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.
Greg Hudson [Thu, 30 Jan 2014 17:37:46 +0000 (12:37 -0500)]
Don't get KDB lock in ulog_get_entries
ulog_get_entries does not access the KDB, only the ulog, so it does
not need a KDB lock; its read lock on the ulog is sufficient to
prevent logged updates from happening while it is running. There is
no reason to serialize against unlogged KDB updates such as those
performed by the KDC, as those do not affect the ulog.
Greg Hudson [Thu, 23 Jan 2014 15:51:21 +0000 (10:51 -0500)]
In kdb5_util load, init ulog closer to promote
Always map the ulog with FKCOMMAND, not FKLOAD which reinitializes the
ulog. Don't reinitialize the ulog until just before calling
krb5_db_promote(). Get rid of FKLOAD since it isn't needed any more;
we can just call ulog_init_header() manually.
Greg Hudson [Sun, 26 Jan 2014 21:42:50 +0000 (16:42 -0500)]
Clean up ovsec_kadmd.c
Fix code formatting issues. Use static scope when possible, and put
all helper functions before main so that forward declarations aren't
needed. Use GSS_KRB5_NT_PRINCIPAL_NAME instead of constructing it
with gss_str_to_oid, and get rid of display_status as that was the
only use. Replace large verbose function comments with concise ones.
Factor out main loop setup and KDB keytab setup into helper functions.
Create a helper function fail_to_start for logging and exiting on
initialization failures, and use it instead of the large cleanup
blocks in main.
Some initialization error messages have changed; no other functional
changes.
Greg Hudson [Thu, 23 Jan 2014 23:15:24 +0000 (18:15 -0500)]
Modernize iprop code
* Don't use "extern" for kdb_log.h prototypes.
* Avoid passing structures by value.
* Avoid the need to cast the result of the INDEX macro, and use char *
instead of unsigned long for pointer arithmetic.
* Reorganize kdb_log.c so static helpers are at the top and don't use
the "ulog_" prefix.
* Get rid of ulog_finish_update_slave since it's more concise to
open-code it in ulog_replay.
* Get rid of ulog_delete_update. In krb5_db_delete_principal, just
call ulog_add_update with kdb_deleted set in upd.
* Modernize coding style of kproplog.c. Use k5memdup0 instead of
snprintf in print_str to convert a byte range to a C string.
Remove an unnecesary textdomain call; libkrb5 takes care of calling
bindtextdomain in the library initializer.
* Modernize coding style of kpropd.c and kprop.c.
Greg Hudson [Fri, 24 Jan 2014 04:49:34 +0000 (23:49 -0500)]
Remove kdb5_util load iprop safety net
Revert the safety net added #7370. As written it only applied to the
master KDC, where a normal load sometimes makes sense. Even on a
slave, there are edge cases where it can make sense to do a normal
load.
Greg Hudson [Sun, 26 Jan 2014 22:23:53 +0000 (17:23 -0500)]
Check for unstable ulog in ulog_get_entries
If a process terminates in the middle of a logged database update, it
will release its lock and leave the ulog in the KDB_UNSTABLE state.
kadmind should notice this when it calls ulog_get_entries, but right
now it only checks for the KDB_CORRUPT state (which is never set any
more) and does not recover. Check for any state other than KDB_STABLE
and recover by resetting the ulog and forcing full resyncs to slaves.
Greg Hudson [Thu, 30 Jan 2014 17:26:09 +0000 (12:26 -0500)]
Add test case for ulog serial number wrapping
Add a unit test program named t_ulog. Make it map a ulog file, set up
header state where kdb_last_sno is the last serial number, and then
add an empty update. Check that the result is a ulog header with one
update at serial number 1.
Greg Hudson [Tue, 21 Jan 2014 15:58:04 +0000 (10:58 -0500)]
Reinitialize ulog when wrapping serial number
When we wrap the serial number, reinitialize the ulog so that kdb_num
starts counting from 1, instead of leaving the ulog in a weird state
where kdb_num == ulogentries but kdb_last_sno == 1 and the serial
numbers in the circular array aren't necessarily contiguous.
Greg Hudson [Sat, 18 Jan 2014 18:03:32 +0000 (13:03 -0500)]
Fix gss_pseudo_random leak on zero length output
Nobody is likely to ever ask for zero bytes of output from
gss_pseudo_random, but if they do, just return an empty buffer without
allocating. Otherwise we leak memory because gss_release_buffer
doesn't do anything to buffers with length 0.
Greg Hudson [Thu, 16 Jan 2014 16:32:10 +0000 (11:32 -0500)]
Avoid assertion failure in error_message
r17942 added a call to get_thread_buffer in the first part of
error_message, prior to the call to com_err_initialize. This can
cause an assertion failure from k5_getspecific if error_message is
called on a system error before any other com_err functions are
called. Move the initialization call earlier to prevent this.
Greg Hudson [Wed, 15 Jan 2014 17:51:42 +0000 (12:51 -0500)]
Clean up GSS krb5 acquire_accept_cred
Use a cleanup handler instead of releasing kt in multiple error
clauses. Wrap a long line and fix a comment with a missing word.
Rewrap the function arguments to use fewer lines.
Tom Yu [Tue, 14 Jan 2014 20:43:35 +0000 (15:43 -0500)]
Remove mentions of krb5-send-pr
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
Greg Hudson [Mon, 13 Jan 2014 17:02:09 +0000 (12:02 -0500)]
Don't produce context deletion token in krb5 mech
RFCs 2743 and 4121 recommend that implementations produce empty tokens
from gss_delete_sec_context, and trying to produce one can cause
gss_delete_sec_context to fail on a partially established context.
Patch from Tomas Kuthan.
Greg Hudson [Fri, 10 Jan 2014 16:54:13 +0000 (11:54 -0500)]
Restrict AES-NI support to ELF platforms for now
Since we explicitly specify the ELF object format when building
iaesx86.s or iaesx64.s, we need to restrict it to operating systems we
know to be ELF platforms. Otherwise we can break the build on OS X,
which uses the Mach-O object format.
Greg Hudson [Thu, 9 Jan 2014 05:18:44 +0000 (00:18 -0500)]
Work around Linux session keyring write behavior
If the session keyring matches the user session keyring, write
explicitly to the user session keyring. Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.
Tom Yu [Tue, 7 Jan 2014 21:37:46 +0000 (16:37 -0500)]
Refactor krb5_string_to_keysalts()
Use various standard C library functions rather than rolling our own.
Previous code spent many lines reimplementing realloc(), strpbrk(),
strtok_r(), etc.
Make a separate string_to_keysalt() parser for an individual keysalt
pair, which for now is private and destructive.
Tom Yu [Mon, 6 Jan 2014 22:17:02 +0000 (17:17 -0500)]
Make salt defaulting work for keysalts
Make krb5_string_to_keysalts() default to only ":" as a key:salt
separator character. Change most of its callers to pass NULL so they
get the default separators.
Tom Yu [Mon, 6 Jan 2014 21:32:50 +0000 (16:32 -0500)]
Default to normal salt instead of "ignore"
krb5_string_to_keysalts() treats an empty salt field as -1 ("ignore"),
rather than as the normal salttype. Default to normal instead, so
that omitting a salttype works as expected.
Greg Hudson [Fri, 3 Jan 2014 18:50:48 +0000 (13:50 -0500)]
Mark AESNI files as not needing executable stacks
Some Linux systems now come with facilities to mark the stack as
non-executable, making it more difficult to exploit buffer overrun
bugs. For this to work, object files built from assembly need a
section added to note whether they require an executable stack.
Patch from Dhiru Kholia with comments added. More information at:
https://bugzilla.redhat.com/show_bug.cgi?id=1045699
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart
Tom Yu [Wed, 1 Jan 2014 00:43:28 +0000 (19:43 -0500)]
Test bogus KDC-REQs
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
rbasch [Mon, 16 Dec 2013 15:54:41 +0000 (10:54 -0500)]
Log service princ in KDC more reliably
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.
do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.
do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.
[tlyu@mit.edu: commit message; fix TGS to catch more error cases]
Greg Hudson [Thu, 19 Dec 2013 18:33:33 +0000 (13:33 -0500)]
Allow realm in kadm5_init service names
Previously, if you passed a service name with a realm part to a
kadm5_init function, you would get a KRB5_PARSE_MALFORMED error
because the code would internally append its own '@realm' suffix
before parsing the name. Fix this as follows:
Change gic_iter so instead of producing a full service name, it
produces a krb5_principal which is taken from the cred it acquires.
Pass the client and full service name around as principals, rather
than strings, and use the gss_nt_krb5_principal name type to import
them in setup_gss(). Don't append a realm to the input service name;
instead, pass the input service name directly to the gic functions
(which do not need a realm in the service name and will ignore the
realm if one is present). For the INIT_CREDS case, parse the input
service name with KRB5_PRINCIPAL_PARSE_IGNORE_REALM and then set the
realm.
Greg Hudson [Thu, 19 Dec 2013 17:22:47 +0000 (12:22 -0500)]
Simplify libkadm5 client realm initialization
The "realm" variable in init_any is used only to fill in the realm of
the service principal in gic_iter(). The service principal realm
should always be the realm we looked up config parameters for, so we
can supply that realm to get_init_creds() unconditionally and
eliminate the case where we use the client principal realm.
Also get rid of an outdated comment and an #if 0 block we will never
need again, and use SNPRINTF_OVERFLOW to check the snprintf result.
Greg Hudson [Fri, 20 Dec 2013 16:06:52 +0000 (11:06 -0500)]
Use an extended com_err hook in klist
Add an adapted version of extended_com_err_fn from kinit to klist and
use it. In do_ccache(), rely on the ccache type to set a reasonable
message if krb5_cc_set_flags() or krb5_cc_get_principal() fails due to
a nonexistent or unreadable ccache, and don't confuse the user with
the name of the ccache operation that failed.
Nalin Dahyabhai [Thu, 5 Dec 2013 18:54:09 +0000 (13:54 -0500)]
Set an error message when keyring get_princ fails
When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.
[ghudson: removed unnecessary check for d->name nullity.]
Greg Hudson [Fri, 20 Dec 2013 04:47:22 +0000 (23:47 -0500)]
Test for verto_set_flags in system libverto
libkrad relies on verto_set_flags, which was added to libverto in
release 0.2.4. Make sure the system libverto has this function before
choosing it over the built-in version.
Zhanna Tsitkov [Thu, 19 Dec 2013 18:08:56 +0000 (13:08 -0500)]
Move kprop error explanation into Troubleshooting
The plan is to make Troubleshooting section of the documentation a
one-stop-shop place for all error diagnostics, explanations and possible
solutions. The relocation of kprop error messages descriptions is part of
this consolidation effort.
Greg Hudson [Wed, 18 Dec 2013 18:08:25 +0000 (13:08 -0500)]
Add a test program for krb5_copy_context
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
Greg Hudson [Wed, 18 Dec 2013 20:03:03 +0000 (15:03 -0500)]
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
Simo Sorce [Tue, 17 Dec 2013 21:15:14 +0000 (16:15 -0500)]
Let SPNEGO display mechanism errors
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
Greg Hudson [Tue, 17 Dec 2013 21:56:41 +0000 (16:56 -0500)]
Clarify klist -s documentation
The documentation for klist -s erroneously suggests that it doesn't
affect the exit status behavior and that it merely checks for the
existence of the ccache (only mentioning the expired ticket check at
the end). Make it clearer and simpler, but avoid going into a lot of
detail about the nature of the expiration check.
Greg Hudson [Mon, 16 Dec 2013 22:09:00 +0000 (17:09 -0500)]
Don't require krb5.conf without KRB5_DNS_LOOKUP
For a long time we have allowed krb5 contexts to be initialized in the
absence of krb5.conf--but only if KRB5_DNS_LOOKUP is defined,
presumably on the theory that no KDCs could be contacted without
either DNS support or profile configuration. But locate plugins could
provide the ability to find KDCs, and some libkrb5 operations (such as
IAKERB initiation) could succeed without needing to locate KDCs.
Also get rid of the profile_in_memory context flag, since we don't use
it any more.
Greg Hudson [Mon, 16 Dec 2013 20:37:56 +0000 (15:37 -0500)]
Fix GSS krb5 acceptor acquire_cred error handling
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
Simo Sorce [Fri, 13 Dec 2013 17:00:41 +0000 (12:00 -0500)]
Fix memory leak in SPNEGO initiator
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
Greg Hudson [Mon, 16 Dec 2013 16:35:42 +0000 (11:35 -0500)]
Remove unneeded check in SPNEGO initiator
In init_ctx_cont, if the response token contains no fields, we set a
return value but don't actually quit out of the function. We do not
need this check (we will fail later on if a piece of required
information isn't present), so just remove it. Reported by
simo@redhat.com.
Greg Hudson [Tue, 10 Dec 2013 17:04:18 +0000 (12:04 -0500)]
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
Greg Hudson [Sun, 8 Dec 2013 23:05:26 +0000 (18:05 -0500)]
Allow ":port" suffixes in sn2princ hostnames
MSSQLSvc principal names can contain a ":port" or ":instance" trailer
on the hostname part. If we see that in the hostname argument of
krb5_sname_to_principal(), remove it before canonicalizing the
hostname and put it back on afterwards.
projects / thirdparty / krb5.git / log
