Ken Raeburn [Thu, 1 Mar 2007 02:19:41 +0000 (02:19 +0000)]
valgrind detects uninitialized (but really unused) bytes in 'queue'
The gsstest program exports a GSSAPI security context to a blob in
memory, writes that memory to a file, and reads it back to use it.
Under valgrind, the writing phase triggers a warning about
uninitialized storage.
The "queue" structure as implemented in generic/util_ordering.c holds
an array of values, some of which may never be initialized. As far as
I can tell, those uninitialized values are never used before being
initialized, either, but valgrind doesn't know that.
This patch zaps the structure contents (including the array) before
using the queue object.
Jeffrey Altman [Thu, 1 Mar 2007 01:49:11 +0000 (01:49 +0000)]
krb5_get_cred_from_kdc fails to null terminate the tgt list
if the next tgt in a cross-realm traversal cannot be
obtained find_nxt_kdc() was calling krb5_free_creds()
on the last tgt in the list but was failing to nullify
the pointer to the cred that was just freed.
if there were no additional tgts obtained,
krb5_get_cred_from_kdc() would return a non-NULL terminated
cred list to the caller. This would result in a crash
when attempting to manipulate the non-existent cred past
the end of the list.
This commit nullifies the credential pointer in
find_nxt_kdc() after the call to krb5_free_creds()
Ken Raeburn [Sat, 24 Feb 2007 00:56:23 +0000 (00:56 +0000)]
If a reflection is detected, zap the message buffer pointer output
argument as well as actually freeing the buffer. (Found while using
the gsstest option to exercise error conditions.)
Ezra Peisach [Mon, 19 Feb 2007 02:37:10 +0000 (02:37 +0000)]
Ensure consistancy between prototypes and functions
I am using an older compiler that is complaining that prototypes
do not match the functions they reference. The issue is that a number
of prototypes are using "const int foo" while the function is "int foo".
From a caller sense it makes no difference - but the compiler is correct
they are different.
Jeffrey Altman [Mon, 12 Feb 2007 14:54:28 +0000 (14:54 +0000)]
hack to permit GetEnvironmentVariable usage without requiring getenv() conversion
Windows has a major flaw when it comes to the use of getenv/putenv.
getenv/putenv do not modify the actual environment of the process.
Instead, they modify a copy of the environment block at the time the
C Runtime Library was initialized for the current module. In other
words, the C Runtime Library environment block for the executable
is not the same as the C Runtime Library environment block for the
krb5_32.dll library, etc.
This results in problems when a process wants to set the default
ccache name outside the krb5_context. The krb5_context default ccname
disappears when the context is destroyed. gss_acquire_cred() suffers
from the creation and destruction of krb5_contexts and therefore the
krb5_context default ccname cannot be used to set a default ccname.
Instead, the process environment must be used.
In order to modify the process environment, SetEnvironmentVariable()
must be used. However, this does not result in the C Runtime Library
environment blocks being updated. putenv() does not see the definition
of "KRB5CCNAME".
This patch modifies get_os_ccname() for Windows to check
GetEnvironmentVariable() before checking the registry. This hack will
work as long as there is no "KRB5CCNAME" variable in the C Runtime
Library environment block.
The long term solution is to replace all calls to getenv and putenv
with GetEnvironmentVariable/SetEnvironmentVariable for Windows.
Ezra Peisach [Mon, 5 Feb 2007 20:39:59 +0000 (20:39 +0000)]
krb5_kt_default_name should take an unsized length
The internal code to krb5_kt_default_name was casting the length to size_t.
Change prototype to take an unsigned - which makes sense in how the code uses
it.
Ezra Peisach [Sun, 4 Feb 2007 02:49:54 +0000 (02:49 +0000)]
MEMORY keytab krb5_kt_get_entry sets enctype to 0 if unspecified
If one invokes krb5_kt_get_entry() for a memory keytab w/ an unspecified
enctype (i.e. 0) - the returned keytab has it's enctype set to 0 as well.
Also - in copying out the found keytab_entry - when a kvno is unspecified,
the last match found is used - not the one with the highest vno.
This was caused by copying out the variable "entry" and not "match".
Ezra Peisach [Sun, 4 Feb 2007 02:03:48 +0000 (02:03 +0000)]
MEMORY keytab does not copy keytab_entry keyblock contents
In krb5_kt_add_entry: The MEMORY keytab does not make a copy of the
keytab_entry keyblock contents - but instead retains a pointer to the
incomming one.
In krb5_kt_get_entry and krb5_kt_get_next - a pointer to internal
keyblock contents memory is returned to the caller - which is subsequently
freed when tht caller invokes krb5_free_keytab_entry_contents.
Solution is to use krb5_copy_keyblock_contents() instead of simply copying
the structure.
Russ Allbery [Sat, 3 Feb 2007 18:33:23 +0000 (18:33 +0000)]
The default K4 compatibility mode is now none, not preauth. Also document
that the valid values for v4_mode are the valid arguments to the -4 flag
to krb5kdc.
Ezra Peisach [Sat, 3 Feb 2007 18:09:56 +0000 (18:09 +0000)]
Memory leak in new memory keytab
The memory keytab introduced in ticket 5411 suffers from a memory leak
in the Heimdal compatible kt_close() handling and thread destructor in which
the cursor->entry is not freed.
Ezra Peisach [Thu, 1 Feb 2007 19:17:31 +0000 (19:17 +0000)]
buffer overflow in krb5_kt_get_name
krb5_kt_get_name() allows the called to specify the size of the buffer to copy
the name into. The size must be big enough for the tailing nul character.
If one specified a buffer length that is precisely the strlen w/o allowing for
the nul - the functions would copy one past the end of the buffer.
No code in our tree would be subject this problem - as buffers in use are 1024
or BUFSIZ....
The logic failure was:
strlen(p+1) vs. strlen(p)+1
The code is essentially duplicated in the three changed files.
Tom Yu [Tue, 30 Jan 2007 21:38:47 +0000 (21:38 +0000)]
get_init_creds_opt extensibility
r18922@cathode-dark-space: coffman | 2006-12-04 18:30:15 -0500
First cut at making the get_init_creds_opt structure extendable
and adding library functions to set options for preauthentication
plugins.
This does *not* include a compatibility function to work like
Heimdal's krb5_get_init_creds_opt_set_pkinit() function.
Hopefully, the test code that doesn't belong in kinit.c is
obvious.
r18929@cathode-dark-space: coffman | 2006-12-07 10:01:20 -0500
Remove extra "user_id" parameter.
Add function which duplicates the Heimdal interface (if we can agree on
what the matching attribute names should be).
r18934@cathode-dark-space: coffman | 2006-12-08 15:28:03 -0500
Update to use the simplified interface for krb5_get_init_creds_opt_set_pa()
Add code in kinit to process "-X" options as preauth options and pass
them along.
r18936@cathode-dark-space: coffman | 2006-12-11 12:04:26 -0500
Move prototypes for get_init_creds_opt_get_pa() and
krb5_get_init_creds_opt_free_pa() into the
preauth_plugin.h header rather than krb5.hin.
Jeffrey Altman [Tue, 30 Jan 2007 17:21:56 +0000 (17:21 +0000)]
This commit adds a thread safe MEMORY keytab implementation
that is compatible with Heimdal 0.7. Each successful resolve
returns a handle to a keytab and increases the internal
reference count. Each close invalidates the handle and
decreases the reference count. When the reference count hits
zero, the keytab is destroyed.
When a kt_destroy function is added, the automatic destruction
after close behavior will be removed.
Jeffrey Altman [Tue, 30 Jan 2007 11:17:35 +0000 (11:17 +0000)]
Microsoft Windows Visual Studio does not define ssize_t
Microsoft defines size_t but not ssize_t.
Provide a definition in win-mac.h that follows the style
used by Microsoft providing a preprocessor macro
SSIZE_T_DEFINED which can be used for conditional
definition and testing in case Microsoft decides to add
it later.
Ezra Peisach [Tue, 23 Jan 2007 20:17:08 +0000 (20:17 +0000)]
Change second argument to krb5_cc_register to take a const krb5_cc_ops *. Makes
sense - when krb5_Xcc_ops currently defined as such - and assignment of value
assumes same.
Ezra Peisach [Tue, 23 Jan 2007 02:57:32 +0000 (02:57 +0000)]
gss_krb5int_unseal_token_v3() - change bodysize argument to unsigned -
which is consistent with how it is invoked and used. Cleans up two
signed/unsigned warnings.
Ken Raeburn [Sat, 20 Jan 2007 11:29:07 +0000 (11:29 +0000)]
* Makefile.in (private-and-public-decls): New target file, created from
k5-int.h and krb5.h.
(verify-calling-conventions-krb5): Use it instead of krb5.h.
(clean-unix): Get rid of it.
Ken Raeburn [Sat, 20 Jan 2007 10:59:19 +0000 (10:59 +0000)]
* pre.in (.et.h, .et.c): Use temporary files in the current directory with
fixed names, instead of incorporating the shell pid.
* post.in (clean-unix): Delete the temporary files.
Added KDC timesyncing support to the CCAPI ccache backend for CCAPI v5 and
later. v5 is the first version of the CCAPI to support the kdc timesyncing
API.
Jeffrey Altman [Thu, 18 Jan 2007 12:43:58 +0000 (12:43 +0000)]
NIM Kerberos 5 Provider corrections
When validating a Kerberos 5 principal name, the request
to the KDC should not request forwardable, renewable, or
proxiable options as these may be blocked by policy and
will result in the return of an error.
Always treat the Kerberos 5 principal name as valid
unless the KDC returns an error that clearly indicates that
the principal name does not exist.
Use a MEMORY: ccache for temporary storage instead of an
API: ccache.
Jeffrey Altman [Thu, 18 Jan 2007 12:39:06 +0000 (12:39 +0000)]
NIM Correct Visual Identity Expiration Status
The visual status for the identities in NIM 1.1 was based
upon the highest alert status of any credential that was
associated with the identity. The correct behavior that is
now implemented is that the identity status should be based
solely upon the expiration state of the credentials obtained
by the identity provider.
For example, the Kerberos v5 identity provider will based the
identity expiration status on the initial TGT. Service tickets
with short lifetimes that expire do not prevent the acquisition
of additional service tickets. Therefore, the identity should
not be listed as expired.
Jeffrey Altman [Thu, 18 Jan 2007 12:33:47 +0000 (12:33 +0000)]
NIM Kerberos v4 configuration dialog
The Kerberos v4 options for individual identities
was never wired. The controls were visible but they
did not do anything. Implement them now for NIM 1.2.
Jeffrey Altman [Thu, 18 Jan 2007 12:31:23 +0000 (12:31 +0000)]
NIM string tables
Update the string tables for NIM so that they are consistent.
Always use "Kerberos v5" or "Kerberos v4". Refer to credentials
instead of tickets. Do not abbreviate "Network Identity Manager".
Etc.
Jeffrey Altman [Thu, 18 Jan 2007 11:35:33 +0000 (11:35 +0000)]
sendto_kdc.c: use of a variable index into a dynamically
allocated array to determine the sizeof() an object makes
it unclear what type of object is involved. It also requires
a runtime check instead of a compile time replacement.
Not to mention that it could lead to the evaluation of an
uninitialized variable as was done in this case. Replace
sizeof(array index variable) with sizeof(type).
Jeffrey Altman [Tue, 16 Jan 2007 04:18:02 +0000 (04:18 +0000)]
This commit adds two new functions, krb5_server_decrypt_ticket_keyblock
(private) and krb5_server_decrypt_ticket_keytab (public). These
functions take a krb5_ticket as input and decrypt it using the provided
key data. The public function is useful for higher level application
protocols such a TLS-KRB5 and AFS RX-KRB5 which exchange a service
but do not use the AP-REQ/AP-REP messages.
This commit also adds new functionality to kvno which permits kvno
when provided a keytab as input to verify whether or not the keytab
contains a key that can successfully decrypt the obtains service ticket.
Tom Yu [Tue, 9 Jan 2007 19:45:25 +0000 (19:45 +0000)]
MITKRB5-SA-2006-003: mechglue argument handling too lax
Fix mechglue argument checks so that output pointers are always
initialized regardless of whether the other arguments fail to validate
for some reason. This avoids freeing of uninitialized pointers.
Initialize the gss_buffer_descs in ovsec_kadmd.c.
ticket: new
target_version: 1.6
tags: pullup
component: krb5-libs
Tom Yu [Tue, 9 Jan 2007 19:45:10 +0000 (19:45 +0000)]
MITKRB5-SA-2006-002: svctcp_destroy() can call uninitialized function pointer
Explicitly null out xprt->xp_auth when AUTH_GSSAPI is being used, so
that svctcp_destroy() will not call through an uninitialized function
pointer after code in svc_auth_gssapi.c has destroyed expired state
structures. We can't unconditionally null it because the RPCSEC_GSS
implementation needs it to retrieve state.
ticket: new
target_version: 1.6
tags: pullup
component: krb5-libs
Ken Raeburn [Mon, 8 Jan 2007 22:51:23 +0000 (22:51 +0000)]
create KDC database directory
The default directory for the KDC database files doesn't exist after a
normal "make install". Reported by Jeff Blaine.
* Makefile.in (INSTALLMKDIRS): Add var (really localstatedir) and var/krb5kdc
to directories to be created at "make install" time, even though it'll be
empty on most machines (since most probably aren't KDCs).
Ken Raeburn [Mon, 8 Jan 2007 22:41:01 +0000 (22:41 +0000)]
crash creating db2 database in non-existent directory
* kdb_db2.c (krb5_db2_db_create): If the creation of the first database file
fails, return the error, instead of attempting to create the second (and using
a null pointer as an input string in formatting a filename).
Ken Raeburn [Sat, 6 Jan 2007 08:30:46 +0000 (08:30 +0000)]
* lib.in (clean-libs): Delete darwin.exports and hpux10.exports.
* libnover.in (clean-libs): Use $(DYNOBJEXT) instead of $(SHLIBEXT) for
extension on object to delete. Also delete darwin.exports and hpux10.exports.
Ken Raeburn [Wed, 3 Jan 2007 23:15:55 +0000 (23:15 +0000)]
update ldap/Makefile.in for newer autoconf substitution requirements
The other makefile.in files have had the makefile-fragment
substitution lines updated to not have "#" at the front, because some
recent versions of autoconf require that the @-pattern start at the
beginning of the line. We missed plugins/kdb/ldap/Makefile.in at the
time.
projects / thirdparty / krb5.git / log
