Ezra Peisach [Sat, 30 Dec 2006 06:09:25 +0000 (06:09 +0000)]
If gss_krb5int_unseal_token_v3() unwraps a message of length 0 - free
memory and return in message_buffer a NULL pointer for value. This
is consistant with gss_release_buffer in the mechglue implementation in which
memory is only freed if the buffer length != 0.
Ken Raeburn [Thu, 28 Dec 2006 01:51:02 +0000 (01:51 +0000)]
* lib/krb5/krb/copy_creds.c (krb5int_copy_creds_contents): New function, split
out from krb5_copy_creds.
(krb5_copy_creds): Call it.
* include/k5-int.h (krb5int_copy_creds_contents): Declare.
Ken Raeburn [Fri, 22 Dec 2006 01:26:59 +0000 (01:26 +0000)]
Some related changes were already in, and I found a couple more to make:
* ldap_realm.c (ldap_filter_correct): Change string argument to char *. Delete
length argument, which was always strlen of the string argument, and compute
it locally, using size_t instead of (unsigned) int for length-related values.
Update all calls.
* ldap_misc.c (remove_overlapping_subtrees): Add forward declaration. Make
static.
(is_principal_in_realm): Change local variable defrealmlen to size_t.
(store_tl_data): Change local variable curr to point to unsigned char, since
that's what the tl_data_contents array is declared as, and what the STORE16_INT
macro is happier with.
(krb5_ldap_get_reference_count): Make local variable i unsigned.
Ken Raeburn [Wed, 20 Dec 2006 21:40:20 +0000 (21:40 +0000)]
misc cleanups in admin guide ldap sections
There are a bunch of instances of incorrect punctuation, inconsistent
use of @-commands with option names, typos in names of principal
flags, and a couple spelling errors. I only fixed what I noticed; I
haven't subjected the rest to careful review.
Also, the long section names for eDirectory-specific documentation
cause the tar files generated for snapshots (which include generated
html docs) to reach the 100-character limit for file names in
traditional tar format; GNU tar can create archives holding them, but
older tar implementations cannot read the archives properly. So,
several eDirectory-related section names have been shortened.
Tom Yu [Tue, 19 Dec 2006 04:16:22 +0000 (04:16 +0000)]
don't pass null pointer to krb5_do_preauth_tryagain()
* src/lib/krb5/krb/get_in_tkt.c (krb5_get_init_creds): If
the error isn't PREAUTH_NEEDED and preauth_to_use is null, return
the error in err_reply, rather than attempting to pass a null
pointer to krb5_do_preauth_tryagain().
Ezra Peisach [Mon, 18 Dec 2006 11:26:59 +0000 (11:26 +0000)]
krb5_rc_io_open_internal on error will call close(-1)
If there is an error in opening the replay cache - memory is freed, but
close() is invoked with -1 (failure from open()). While technically,
close() will return EBADF in such a case, and nothing bad will happen,
valgrind picks up on this and provides an error...
krb5_get_init_creds_opt_set_change_password_prompt is a new
gic option that permits the prompter code to be skipped
when the password has expired. This option is meant to
be used by credential managers such as NetIDMgr and
Kerberos.app that have their own built in password change
dialogs.
This patch adds the new function, exports it on Windows,
and makes use of it within the Krb5 identity provider
for NetIDMgr.
The patch is written to ensure that no changes to the
krb5_get_init_creds_opt structure are required and
to ensure that the default behavior, prompting, is
maintained.
The export lists for UNIX and KFM must still be updated.
The function prototype was committed as part of ticket 3642.
Jeffrey Altman [Fri, 8 Dec 2006 00:28:59 +0000 (00:28 +0000)]
build the trunk on Windows (again)
This revision corrects a number of missing or extraneous
KRB5_CALLCONV symbols; exposes symbols for _WIN32;
and avoids including headers that don't exist
Jeffrey Altman [Thu, 7 Dec 2006 21:56:20 +0000 (21:56 +0000)]
Modifications to support the generation and embedding
of library manifests into generated EXEs and DLLs.
Manifests are required for Windows XP and above when
applications are built with Microsoft Visual Studio 2005
(aka VS8) or above.
Implemented a working krb5_cc_remove for the CCAPI cache type. Added a
private support function krb5_creds_compare() which checks if two krb5_creds
are identical. This function should be needed by implementations of
krb5_cc_remove for other ccache types.
ticket: new
owner: tlyu
target_version: 1.6
tags: pullup
Will Fiveash [Mon, 4 Dec 2006 21:47:50 +0000 (21:47 +0000)]
fix for kdb5_util load bug with dumps from a LDAP KDB
I found a bug when I did a "kdb5_util load -update ldap-dump" where
ldap-dump was a dump done from a LDAP based KDB. The issue is that this
sort of dump contains principal_dn data which is not the case for a db2
KDB dump.
Kevin Coffman [Fri, 1 Dec 2006 19:18:26 +0000 (19:18 +0000)]
Return edata from non-"PA_REQUIRED" preauth types
* src/kdc/kdc_preauth.c (check_padata)
Return e-data from any failing preauth module.
Save the e-data and return value from the first failing module.
If a subsequent module marked as PA_REQUIRED fails, return
its e-data and error instead.
* src/kdc/kdc_preauth.c (load_preauth_plugins)
Quiet compiler warning by setting pointer to NULL.
ticket: new
Target_Version: 1.6
tags: pullup
Component: krb5-kdc
Tom Yu [Fri, 1 Dec 2006 17:09:42 +0000 (17:09 +0000)]
* src/kadmin/dbutil/dump.c (load_db): Open the dumpfile as
read-only; we only get a shared lock, so no reason to open for
writing for the sake of getting a lock.
Tom Yu [Thu, 30 Nov 2006 20:50:02 +0000 (20:50 +0000)]
* src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function
to check server principal in reply. Ensures that the reply is
self-consistent, allows rewrites if canonicalization is requested,
and allows limited rewrites of TGS principals if canonicalization
is not requested.
(krb5_get_cred_via_tkt): Move server principal checks into
check_reply_server().
Tom Yu [Thu, 30 Nov 2006 20:46:32 +0000 (20:46 +0000)]
* src/lib/krb5/krb/gc_frm_kdc.c: Also do style cleanup.
(krb5_get_cred_from_kdc_opt): If server principal was rewritten,
fall back unless it was rewritten to a TGS principal. This fixes
a bug when a MS AD rewrites the service principal into a
single-component NETBIOS-style name. If we get a referral back to
the immediately preceding realm, fall back to non-referral
handling. This fixes the changepw failure. To prevent memory
leaks, when falling back to non-referral handling, free any tgts
previously obtained by the initial non-referral do_traversal()
call.
Kevin Coffman [Wed, 29 Nov 2006 00:17:52 +0000 (00:17 +0000)]
skip all modules in plugin if init function fails
If the plugin initialization function fails, skip all modules in
the plugin, not just the first. Also, print the error message from
the plugin if supplied.
ticket: new
Target_Version: 1.6
Tags: pullup
Component: krb5-kdc
Jeffrey Altman [Wed, 22 Nov 2006 18:11:16 +0000 (18:11 +0000)]
KFW 3.1 commits for Final Release
KfW 3.1 final (NetIDMgr 1.1.8.0)
nidmgr32.dll (1.1.8.0)
- When detecting IP address changes, wait for things to settle down
before setting of the IP address change notification.
krb5cred.dll (1.1.8.0)
- Fixed the Kerberos 5 configuration dialog which didn't handle
setting the default realm properly. Setting the default realm now
sets the correct string in krb5.ini.
- Changing the default realm now marks the relevant configuration node
as dirty, and enabled the 'Apply' button.
- Changing the 'renewable', 'forwardable' and 'addressless' checkboxes
in the identity configuration panels now mark the relevant
configuration nodes as dirty, and enables the 'Apply' button.
- The location of the Kerberos 5 configuration file is now read-only
in the Kerberos 5 configuration dialog.
- Set the maximum number of characters for the edit controls in the
configuration dialog.
krb4cred.dll (1.1.8.0)
- The location of the Kerberos 4 configuration files are now read-only
in the Kerberos 4 configuration dialog.
- Handles setting the ticket string.
- Changing the ticket string now marks the relevant configuration node
as dirty, and enables the 'Apply' button.
- Fixed the plug-in initialization code to perform the initial ticket
listing at the end of the initializaton process.
Kevin Coffman [Tue, 21 Nov 2006 14:37:11 +0000 (14:37 +0000)]
free error message when freeing context
Call krb5_clear_error_message() to free any allocated error message
before freeing the context.
The condition that triggered this was a plugin library which fails to
load because of unresolved references. It appears dlopen() on Linux
leaks four bytes for each failing library in this situation.
Tom Yu [Sat, 18 Nov 2006 01:53:27 +0000 (01:53 +0000)]
* src/lib/krb5/ccache/ccbase.c (krb5int_cc_getops): Internal
function to fetch ops vector given ccache prefix string.
(krb5_cc_new_unique): New function to generate a new unique
ccache of a given type.
* src/include/krb5/krb5.hin: Prototype for krb5_cc_new_unique().
Jeffrey Altman [Fri, 17 Nov 2006 23:14:27 +0000 (23:14 +0000)]
reset use_master flag when master_kdc cannot be found
krb5_get_init_creds_password:
if the master_kdc cannot be identified reset the use_master
flag. otherwise, the krb5_get_init_creds("kadmin/changepw")
call will attempt to communicate with the master_kdc that
cannot be reached.
Jeffrey Altman [Fri, 17 Nov 2006 17:23:24 +0000 (17:23 +0000)]
commits for KFW 3.1 Beta 4
KfW 3.1 beta 4 (NetIDMgr 1.1.6.0)
nidmgr32.dll (1.1.6.0)
- Fix a race condition where the initialization process might be
flagged as complete even if the identity provider hasn't finished
initialization yet.
krb5cred.dll (1.1.6.0)
- When assigning the default credentials cache for each identity,
favor API and FILE caches over MSLSA if they exist.
- When renewing an identity which was the result of importing
credentials from the MSLSA cache, attempt to re-import the
credentials from MSLSA instead of renewing the imported credentials.
- Prevent possible crash if a Kerberos 5 context could not be obtained
during the renewal operation.
- Prevent memory leak in the credentials destroy handler due to the
failure to free a Kerberos 5 context.
- Properly match principals and realms when importing credentials from
the MSLSA cache.
- Determine the correct credentials cache to place imported
credentials in by checking the configuration for preferred cache
name.
- Keep track of identities where credentials imports have occurred.
- When setting the default identity, ignore the KRB5CCNAME environment
variable.
- Do not re-compute the credentials cache and timestamps when updating
an identity. The cache and timestamp information is computed when
listing credentials and do not change between listing and identity
update.
- When refreshing the default identity, also handle the case where the
default credentials cache does not contain a principal, but the name
of the cache can be used to infer the principal name.
- Invoke a listing of credentials after a successful import.
- Do not free a Kerberos 5 context prematurely during plug-in
initialization.
netidmgr.exe (1.1.6.0)
- Fix the UI context logic to handle layouts which aren't based around
identities.
- Don't try to show a property sheet when there are no property pages
supplied for the corresponding UI context.
- Use consistent context menus.
- Bring a modal dialog box to the foreground when it should be active.
- Do not accept action triggers when the application is not ready to
process actions yet.
- Do not force the new credentials dialog to the top if there's
already a modal dialog box showing.
- Change the default per-identity layout to also group by location.
Ken Raeburn [Thu, 16 Nov 2006 01:20:47 +0000 (01:20 +0000)]
* rd_req_dec.c: Whitespace changes in function headers.
(krb5_rd_req_decoded_opt): Include more info in error text for AP_WRONG_PRINC
and NOPERM_ETYPE errors.
Ken Raeburn [Thu, 16 Nov 2006 01:14:14 +0000 (01:14 +0000)]
avoid double frees in ccache manipulation around gen_new
* krb5/krb/vfy_increds.c (krb5_verify_init_creds): If krb5_cc_gen_new fails,
don't both close and destroy the template ccache.
* gssapi/krb5/accept_sec_context.c (rd_and_store_for_creds): Likewise.
Ken Raeburn [Thu, 16 Nov 2006 00:51:21 +0000 (00:51 +0000)]
fix some warnings in ldap code
* libkdb_ldap/ldap_realm.c (ignore_duplicates, compare): Unused functions deleted.
(krb5_ldap_modify_realm, krb5_ldap_read_realm_params): Conditionalize declarations of
automatic variables that are only used for eDirectory.
* libkdb_ldap/ldap_service_stash.c (tohex): Use one sprintf call instead of two.
(dec_password): Use an unsigned type to fetch values with %x.
* libkdb_ldap/ldap_realm.h (ldap_filter_correct): Declare.
* libkdb_dlap/ldap_misc.c (my_strndup): Only define if HAVE_LDAP_STR2DN.
(populate_krb5_db_entry): Remove unused automatic variable.
* ldap_util/kdb5_ldap_util.c (cmd_table): Fix typo in preprocessing conditional.
* ldap_util/kdb5_ldap_realm.c (get_ticket_policy): Declarations first, then code.
* ldap_util/kdb5_ldap_services.c (kdb5_ldap_stash_service_password): On error, increment
exit_status; don't return a value.
* ldap_util/kdb5_ldap_services.h (kdb5_ldap_stash_service_password): Update decl.
Ken Raeburn [Wed, 15 Nov 2006 23:56:02 +0000 (23:56 +0000)]
LDAP patch from Novell, 2006-10-13
Patch from 13 November from Savitha R:
> Fix for delpol deleting ticket policies
> Removed references to old schema
> Moved some unused code under #ifdef HAVE_EDIRECTORY
Kevin Coffman [Mon, 13 Nov 2006 22:59:55 +0000 (22:59 +0000)]
allow server preauth plugin verify_padata function to return e-data
Change server-side preauth plugin interface to allow the plugin's
verify_padata function to return e-data to be returned to the client.
(Patch from Nalin Dahyabhai <nalin@redhat.com>)
Update sample plugins to return e-data to exercise the code.
Fix memory leak in the wpse plugin.
ticket: new
Component: krb5-kdc
Target_Version: 1.6
Tags: pullup
Russ Allbery [Thu, 9 Nov 2006 23:29:26 +0000 (23:29 +0000)]
Delay kadmind random number initialization until after fork
Target_Version 1.6
Tags: pullup
Delay initialization of the random number generator in kadmind until
after the fork and backgrounding of the process. Otherwise, a lack of
sufficient entropy during the system boot process will delay system
boot on systems that run each init script in series and that start
kadmind via an init script.
ticket: new
Component: krb5-admin
Version_Reported: 1.4.4
Jeffrey Altman [Wed, 8 Nov 2006 09:58:49 +0000 (09:58 +0000)]
commits for KFW 3.1 Beta 3
KfW 3.1 beta 3 (NetIDMgr 1.1.4.0)
source for 1.1.4.0
- Eliminate unused commented out code.
nidmgr32.dll (1.1.4.0)
- The configuration provider was incorrectly handling the case where a
configuration value also specifies a configuration path, resulting
in the configuration value not being found. Fixed.
- Fix a race condition when refreshing identities where removing an
identity during a refresh cycle may a crash.
- Fix a bug which would cause an assertion to fail if an item was
removed from one of the system defined menus.
- When creating an indirect UI context, khui_context_create() will
correctly fill up a credential set using the selected credentials.
krb5cred.dll (1.1.4.0)
- Fix a race condition during new credentials acquisition which may
cause the Krb5 plug-in to abandon a call to
krb5_get_init_creds_password() and make another call unnecessarily.
- If krb5_get_init_creds_password() KRB5KDC_ERR_KEY_EXP, the new
credentials dialog will automatically prompt for a password change
instead of notifying the user that the password needs to be changed.
- When handling WMNC_DIALOG_PREPROCESS messages, the plug-in thread
would only be notified of any changes to option if the user
confirmed the new credentials operation instead of cancelling it.
- Additional debug output for the DEBUG build.
- Reset the sync flag when reloading new credentials options for an
identity. Earlier, the flag was not being reset, which can result
in the new credentials dialog not obtaining credentials using the
new options.
- Handle the case where the new credentials dialog maybe closed during
the plug-in thread is processing a request.
- Fix a condition which would cause the Krb5 plug-in to clear the
custom prompts even if Krb5 was not the identity provider.
- Once a password is changed, use the new password to obtain new
credentials for the identity.
netidmgr.exe (1.1.4.0)
- Fix a redraw issue which left areas of the credentials window
unupdated if another window was dragged across it.
- Handle WM_PRINTCLIENT messages so that the NetIDMgr window will
support window animation and other features that require a valid
WM_PRINTCLIENT handler.
- During window repaints, NetIDMgr will no longer invoke the default
window procedure.
- Add support for properly activating and bringing the NetIDMgr window
to the foreground when necessary. If the window cannot be brought
to the foreground, it will flash the window to notify the user that
she needs to manually activate the NetIDMgr window.
- When a new credentials dialog is launched as a result of an external
application requesting credentials, if the NetIDMgr application is
not minimized, it will be brought to the foreground before the new
credentials dialog is brought to the foreground. Earlier, the new
credentials dialog may remain hidden behind other windows in some
circumstances.
- When displaying custom prompts for the new credentials dialog, align
the input controls on the right.
krb5.h not C++-safe due to "struct krb5_cccol_cursor"
Fixed definition of "struct krb5_cccol_cursor" in krb5.h to be C++ safe.
In C++ the struct name is also a type so there can't be a typedef of the same
name, in this case "typedef struct krb5_cccol_cursor *krb5_cccol_cursor;".
ticket: new
status: open
target_version: 1.6
tags: pullup
Jeffrey Altman [Mon, 6 Nov 2006 21:55:13 +0000 (21:55 +0000)]
krb5_get_init_creds_password does not consistently prompt for password changing
krb5_get_init_creds_password() previously did not consistently
handle KRB5KDC_ERR_KEY_EXP errors. If there is a "master_kdc"
entry for the realm and the KDC is reachable, then the function
will prompt the user for a password change. Otherwise, it will
return the error code to the caller. If the caller is a ticket
manager, it will prompt the user for a password change with a
dialog that is different from the one generated by the prompter
function passed to krb5_get_init_creds_password.
With this change krb5_get_init_creds_password() will always
prompt the user if it would return KRB5KDC_ERR_KEY_EXP unless
the function is compiled with USE_LOGIN_LIBRARY. (KFM)
projects / thirdparty / krb5.git / log
