Simo Sorce [Tue, 12 Jun 2012 18:46:24 +0000 (14:46 -0400)]
Always consider desired_mechs empty in spnego
The only case where the spnego gss_aquire_cred function can be called
with specific OIDs is if the mechglue calls spenego with the spengo
oid, which we never want to loop on anyway. So always consider it as
null, it's the correct behavior with current semantics.
Kevin Wasserman [Wed, 1 Aug 2012 22:30:02 +0000 (18:30 -0400)]
Fix oid set construction in gss_inquire_cred()
Use gssapi calls to construct the oid sets. It is not safe on windows
to use malloc to hand-construct the set and then call gss_release_oid_set()
to clean it up.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7227 (new)
tags: pullup
Greg Hudson [Thu, 2 Aug 2012 05:27:47 +0000 (01:27 -0400)]
Change default client keytab name
Change the default client keytab name, if not overridden at build
time, to FILE:$localstatedir/krb5/user/%{euid}/client.keytab.
Introduce a second file from the autoconf archives in order to
recursively expand $localstatedir within configure.in.
* Fix the substhtml target in src/doc/Makefile.in
* Don't add FILE: when substituting the default keytab and client
keytab names, as the defaults already have it.
Tom Yu [Wed, 1 Aug 2012 02:45:08 +0000 (22:45 -0400)]
Fix KDC heap corruption vuln [CVE-2012-1015]
Fix KDC heap corruption vulnerability [MITKRB5-SA-2012-001
CVE-2012-1015]. The cleanup code in
kdc_handle_protected_negotiation() in kdc_util.c could free an
uninitialized pointer in some error conditions involving "similar"
enctypes and a failure in krb5_c_make_checksum().
Additionally, adjust the handling of "similar" enctypes to avoid
advertising enctypes that could lead to inadvertent triggering of this
vulnerability (possibly in unpatched KDCs).
Note that CVE-2012-1014 (also described in MITKRB5-SA-2012-001) only
applies to the krb5-1.10 branch and doesn't affect the master branch
or releases prior to krb5-1.10.
* fscanf field widths must be less than the buffer size, not equal to
it.
* Check for negative values of lengths we're going to allocate.
* Eliminate a warning in the comparison of the regexp end offset.
* process_r1_8 policy doesn't actually ignore additional values, so
get rid of the comment and inequality test suggesting that it does.
Use a helper function add_policy_mods() in
krb5_ldap_create_password_policy() and krb5_ldap_put_password_policy()
to avoid duplicating code for each field.
Corrections to stuff noticed by kaduk:
* Eliminate a space before paren in a call to free().
* Use %lu for unsigned long in format strings.
* Simplify the tokens table definition.
* Add DEFCCNAME, DEFKTNAME, and DEFCKTNAME configure variables to
change the built-in ccache and keytab names.
* Add krb5-config options to display the built-in ccache and keytab
names.
* In the default build, use krb5-config to discover the system's
built-in ccache and keytab names and use them (if not overridden).
This can be controlled with the --with-krb5-config=PATH or
--without-krb5-config configure options.
* Make the built-in ccache name subject to parameter expansion.
Generalize the ccache collection tests in t_cccol.py to multiple kinds
of ccache tests, and rename it to avoid confusion with the lower-level
lib/krb5/ccache/t_cccol.py. Move a test from t_general.py into
t_ccache.py.
Eliminate the USE_CCAPI variant of get_from_os() which was only used
in KfM. Make get_from_os() allocate its result (wrapping the Windows
implementation so it can continue to use a fixed-size buffer).
Simplify krb5_cc_set_default_name() and krb5_cc_default_name(). Make
some minor style adjustments.
Add an adapted version of Heimdal's expand_path.c, defining
k5_expand_path_tokens() and k5_expand_path_tokens_extra(). These
functions allow template paths like %{TEMP}/krb5cc_%{uid} to be
resolved. Also add a test program to exercise the path expansion
code.
Simo Sorce [Fri, 2 Mar 2012 23:27:49 +0000 (18:27 -0500)]
Introduce credential store extensions
Add new APIs gss_acquire_cred_from, gss_add_cred_from, and
gss_store_cred_into, which take additional argments to specify the
location of the credential storage using a key-value map, where keys
are interpreted by the mechanisms.
In combination with -k, -i will cause kinit or klist to use the
default client keytab instead of the default acceptor keytab. This
gives an easy way to figure out what default client keytab name is in
use and to get credentials using it.
wshelper is clearly not intended to use unicode:
wprintf is used extensively and exclusively to write to char[] buffers and
fields in dns structs are used as explicitly ASCII text.
Kevin Wasserman [Wed, 6 Jun 2012 22:22:22 +0000 (18:22 -0400)]
KFW win-mac.h fixes
kfw: add int16_t, uint16_t typedefs to win-mac.h
uint16_t is used in chpw.c
include stdlib.h, crtdbg.h in win-mac.h
Allows leak-tracking using built-in msvc tools on windows.
crtdbg.h needs to come _after_ stdlib.h, but _before_ checking for
strdup. Define DEBUG and CRTDBG_MAP_ALLOC for full tracking.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7204 (new)
tags: pullup
Ben Kaduk [Fri, 29 Jun 2012 18:33:20 +0000 (14:33 -0400)]
Sync configure options with configure
We should try to stay coupled with the actual configure options, as
documented by 'configure --help'.
Remove an option which is no longer present and add several that
were missing.
Ben Kaduk [Fri, 29 Jun 2012 18:13:05 +0000 (14:13 -0400)]
Only list --enable-dns-for-realm once
If we list something as "commonly used", we seem to not also
list it with the rest of the options. This has the advantage
of not requiring us to remember to update two things for future
changes, but the disadvantage of requiring users to look in two
places for options. Stick with the prevailing form for now.
Ben Kaduk [Fri, 29 Jun 2012 18:10:07 +0000 (14:10 -0400)]
Sort configure options
Stick to the order of 'configure --help' for most sections, but
sort environment variables alphabetically (since, e.g.,
configure --help does not list CPPFLAGS and there is not a good
way to add that).
Note that this does not add or remove any content, even though
some options are missing/extra.
Ben Kaduk [Wed, 27 Jun 2012 18:35:30 +0000 (14:35 -0400)]
Cleanup docs for DNS lookup configure options
DNS lookups for KDCs have been unconditionally enabled in
configure since 2003; configure options only affect whether
DNS lookups are used for realm names.
Change the RST documentation of configure options to catch up.
Tom Yu [Thu, 12 Jul 2012 18:26:15 +0000 (14:26 -0400)]
Handle huge /bin directories in libdb2 test
The test suite for libdb2 uses /bin as a source of filenames and
contents for insertion into databases. Fedora 17 (and possibly other
OSes) have /bin symlinked to /usr/bin, which can vastly increase the
number of files found, exceeding some limits of the test databases.
Truncate this list of files at 100 to prevent this problem.
Tom Yu [Thu, 12 Jul 2012 03:35:44 +0000 (23:35 -0400)]
Always recreate acl files during dejagnu tests
The dejagnu tests create some persistent acl files containing
hostname-derived principal names. These can get out of date if the
host has changed names since the last time the dejagnu tests were run,
causing failures (notably in iprop.exp). To avoid this problem,
change the dejagnu tests to always create new acl files for each test
run.
Kevin Wasserman [Sun, 6 May 2012 19:14:46 +0000 (15:14 -0400)]
Add krb5int_cc_user_set_default_name
Set the default credential cache name for all processes for the current
user. Currently implemented, for windows only, by setting
HKEY_CURRENT_USER\Software\MIT\Kerberos5:ccname to the specified
ccache name. This will not override the environment variable 'KRB5CCNAME'.
It will override HKEY_LOCAL_MACHINE and 'indirect' registry values.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7199 (new)
tags: pullup
Kevin Wasserman [Sun, 6 May 2012 19:23:10 +0000 (15:23 -0400)]
Implement switch_to for ccapiv3
krb5_stdccv3_switch_to() calls cc_ccache_set_default().
krb5_stdccv3_resolve() checks for NULL or empty residual and calls
cc_context_get_default_ccache_name() in those cases.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7198 (new)
tags: pullup
Kevin Wasserman [Fri, 20 Apr 2012 15:36:13 +0000 (11:36 -0400)]
Translate WinSock errors to Posix counterparts
MSVC 2010 defines both Posix and WinSock error values so we can no longer
simply #define the Posix error values to be their WinSock counterpart.
This patch explicitly #includes <errno.h> in port-sockets.h and still
conditionally defines the Posix error values for compatibility with older
MSVC but also translates WinSock errors to Posix for MSVC 2010
compatibility.
The downside to this approach is that there are some Posix errors we
do not currently detect (e.g. EADDRINUSE) that are neither #defined nor
translated. If we use one of those in the future but fail to update
TranslateWSAGetLastError() we'll once again be in the situation that the
windows build will compile but fail to work, possibly only when some rare
error condition occurs.
Signed-off-by: Kevin Wasserman <kevin.wasserman@painless-security.com>
ticket: 7197 (new)
tags: pullup
If the directory for a DIR ccache doesn't exist yet, try to create it
(but not its parents) with mode 700. Exercise this in test scripts by
not pre-creating directories.
In gssint_import_internal_name, don't map the minor code from
mech->gss_duplicate_name if it returned successfully. Fixes an
"unexpected non-zero minor status" error reported by SAP's gsstest
when it invokes gss_canonicalize_name().
Commit f609e5caff410cc8f71db7d95b4da219541437db accidentally omitted
the check for extra realm separators, leading to an assertion error
when parsing x@y@z or similar. Restore the check.
Ben Kaduk [Fri, 6 Jul 2012 22:56:57 +0000 (18:56 -0400)]
Revert "Document absolute times for 'kinit -s'"
This reverts commit 20f85a81151f69689e3c060e89852687eb6c5a3c.
The ability of 'kinit -s' to accept an absolute time is
intentionally undocumented and remains only for backwards
compatibility.
Leave a comment in the source to this effect, for future generations.
Ben Kaduk [Fri, 6 Jul 2012 19:45:20 +0000 (15:45 -0400)]
Allow using locales when gettext is absent
Previously, if configure did not detect dgettext(), we disabled
anything that smelled like localization, inadvertently including
setlocale(). Now that we use setlocale(LC_ALL, ""), we have
localized dates available as well as messages, so we should not
disable calls to setlocale() any more.
Since the routines from locale.h are only used in a relatively
small number of places, just include the header directly in those
files and remove it from k5-platform.h.
Ben Kaduk [Fri, 6 Jul 2012 00:18:32 +0000 (20:18 -0400)]
Pass the user's CPPFLAGS in ALL_CFLAGS
We need them if any headers we depend on are not in the default
search path (e.g., gettext.h). These files are built for
'make check' but not for the normal build.
Ben Kaduk [Thu, 5 Jul 2012 18:34:56 +0000 (14:34 -0400)]
Document absolute times for 'kinit -s'
kinit's -s argument takes a parameter, which is first interpreted
as a time interval ("deltat"), in the same format used for
the -l and -r arguments. However, if that fails, the
time argument is interpreted as an absolute time, in one of
twelve different possible formats, some of which are subject to
localization via strptime(). Explicitly listing all twelve
possible interpretations is overkill, but give the user a hint that
absolute times are possible at all.
Ben Kaduk [Thu, 5 Jul 2012 18:56:50 +0000 (14:56 -0400)]
Enable all localizations in main functions
Bite the bullet and pass LC_ALL to setlocale() instead of just
LC_MESSAGES. Calls to setlocale() itself were introduced in fabbf9e443459e8c0161c84563690ed70c7f6a61 for ticket 6918, but
only for LC_MESSAGES since only localized strings were needed
and that was the most conservative option.
However, klist, kadmin, and kinit (and perhaps others) would benefit
from localized formats for times (i.e., LC_TIME). If potentially
localized data is being sent on the wire, that is a bug that should
be fixed. No such bugs are found with the current test suite, so we
are comfortable enabling LC_ALL at this time.
projects / thirdparty / krb5.git / log
