Tom Yu [Fri, 20 Feb 2015 16:43:33 +0000 (11:43 -0500)]
Use calloc, not k5calloc in ldap back end
The changes cherry picked in 0149ee13d51b48d77fbbaa5c1109036332a5577c
rely on k5calloc(), which is not present in the 1.11 branch.
Compensate by using calloc() instead.
Greg Hudson [Wed, 5 Nov 2014 19:12:35 +0000 (14:12 -0500)]
Fix input race condition in t_skew.py
In two of the kinit tests run by t_skew.py, we expect kinit to exit
before reading the password. If we supply a password input for those
commands, we can fail with a broken pipe exception if the master
process tries to write the password after the slave process exits.
Also correctly check the output of the last kinit invocation.
Tom Yu [Thu, 16 Oct 2014 19:40:33 +0000 (15:40 -0400)]
Parse "ktadd -norandkey" in remote kadmin client
The remote kadmin client would not parse the "-norandkey" option to
the ktadd subcommand, terminating option parsing and possibly causing
options to be interpreted as principal names.
Greg Hudson [Mon, 20 Oct 2014 16:52:45 +0000 (12:52 -0400)]
Report output ccache errors getting initial creds
In init_creds_step_reply, if we get an error storing output
credentials, do set ctx->complete (since retrieving creds or times
will work at this point) but don't suppress the error code.
Greg Hudson [Fri, 5 Dec 2014 19:01:39 +0000 (14:01 -0500)]
Fix LDAP misused policy name crash [CVE-2014-5353]
In krb5_ldap_get_password_policy_from_dn, if LDAP_SEARCH returns
successfully with no results, return KRB5_KDB_NOENTRY instead of
returning success with a zeroed-out policy object. This fixes a null
dereference when an admin attempts to use an LDAP ticket policy name
as a password policy name.
CVE-2014-5353:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
Queries to LDAP scoped to the krbPwdPolicy object class will correctly
not return entries of other classes, such as ticket policy objects, but
may return success with no returned elements if an object with the
requested DN exists in a different object class. In this case, the
routine to retrieve a password policy returned success with a password
policy object that consisted entirely of zeroed memory. In particular,
accesses to the policy name will dereference a NULL pointer. KDC
operation does not access the policy name field, but most kadmin
operations involving the principal with incorrect password policy
will trigger the crash.
Greg Hudson [Wed, 14 Jan 2015 18:10:39 +0000 (13:10 -0500)]
Check for null *iter_p in profile_iterator()
In profile_iterator(), return PROF_MAGIC_ITERATOR if *iter_p is NULL,
instead of dereferencing a null pointer, as we did prior to 1.10.
Correct calling code will not trigger this case, but incorrect code
has been reported in the field.
Simo Sorce [Tue, 20 Jan 2015 18:48:34 +0000 (13:48 -0500)]
Do not loop on principal unknown errors
If the canonicalize flag is set, the MIT KDC always return the client
principal when KRB5_KDC_ERR_C_PRICIPAL_UNKNOWN is returned.
Check that this is really a referral by testing that the returned
client realm differs from the requested one.
[ghudson@mit.edu: simplified and narrowed is_referral() contract.
Note that a WRONG_REALM response with e-data or FAST error padata
could now be passed through k5_preauth_tryagain() if it has an empty
crealm or a crealm equal to the requested client realm. Such a
response is unexpected in practice and there is nothing dangerous
about handling it this way.]
Greg Hudson [Mon, 29 Dec 2014 18:17:56 +0000 (13:17 -0500)]
Fix gssrpc data leakage [CVE-2014-9423]
[MITKRB5-SA-2015-001] In svcauth_gss_accept_sec_context(), do not copy
bytes from the union context into the handle field we send to the
client. We do not use this handle field, so just supply a fixed
string of "xxxx".
In gss_union_ctx_id_struct, remove the unused "interposer" field which
was causing part of the union context to remain uninitialized.
Greg Hudson [Mon, 29 Dec 2014 18:27:42 +0000 (13:27 -0500)]
Fix kadmind server validation [CVE-2014-9422]
[MITKRB5-SA-2015-001] In kadmind's check_rpcsec_auth(), use
data_eq_string() instead of strncmp() to check components of the
server principal, so that we don't erroneously match left substrings
of "kadmin", "history", or the realm.
Greg Hudson [Sat, 27 Dec 2014 19:16:13 +0000 (14:16 -0500)]
Fix kadm5/gssrpc XDR double free [CVE-2014-9421]
[MITKRB5-SA-2015-001] In auth_gssapi_unwrap_data(), do not free
partial deserialization results upon failure to deserialize. This
responsibility belongs to the callers, svctcp_getargs() and
svcudp_getargs(); doing it in the unwrap function results in freeing
the results twice.
In xdr_krb5_tl_data() and xdr_krb5_principal(), null out the pointers
we are freeing, as other XDR functions such as xdr_bytes() and
xdr_string().
Tom Yu [Fri, 6 Feb 2015 20:46:52 +0000 (15:46 -0500)]
Fix gss_process_context_token() [CVE-2014-5352]
[MITKRB5-SA-2015-001] The krb5 gss_process_context_token() should not
actually delete the context; that leaves the caller with a dangling
pointer and no way to know that it is invalid. Instead, mark the
context as terminated, and check for terminated contexts in the GSS
functions which expect established contexts. Also add checks in
export_sec_context and pseudo_random, and adjust t_prf.c for the
pseudo_random check.
Greg Hudson [Wed, 28 May 2014 22:06:59 +0000 (18:06 -0400)]
Make tcl_kadm5.c work with Tcl 8.6
Directly accessing the result field of Tcl_Interp has been deprecated
for a long time, requires a special define in Tcl 8.6, and will be
impossible in Tcl 9. Use Tcl_SetResult instead. The new error
messages are less helpful than the old ones, but this is just support
infrastructure for old tests, so it isn't important.
Tomas Kuthan [Fri, 1 Aug 2014 13:25:50 +0000 (15:25 +0200)]
Fix LDAP key data segmentation [CVE-2014-4345]
For principal entries having keys with multiple kvnos (due to use of
-keepold), the LDAP KDB module makes an attempt to store all the keys
having the same kvno into a single krbPrincipalKey attribute value.
There is a fencepost error in the loop, causing currkvno to be set to
the just-processed value instead of the next kvno. As a result, the
second and all following groups of multiple keys by kvno are each
stored in two krbPrincipalKey attribute values. Fix the loop to use
the correct kvno value.
CVE-2014-4345:
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overrun) by performing multiple cpw
-keepold operations. An off-by-one error while copying key
information to the new database entry results in keys sharing a common
kvno being written to different array buckets, in an array whose size
is determined by the number of kvnos present. After sufficient
iterations, the extra writes extend past the end of the
(NULL-terminated) array. The NULL terminator is always written after
the end of the loop, so no out-of-bounds data is read, it is only
written.
Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary
exploits must be tailored to the individual application and are
usually quite complicated. Depending on the allocated length of the
array, an out-of-bounds write may also cause a segmentation fault
and/or application crash.
profile_rename_section should demand only one name.
profile_add_relation should demand only one name if it is creating a
new section. It aso needs to reset state before calling
profile_find_node for the section, in case it didn't look up any
parent sections previously.
In profile_find_node, skip deleted nodes when finding the second
match. Otherwise, profile_clear_nodes could return an error if a node
has some values to clear but the last one is deleted.
In profile_node_iterator, skip deleted nodes when looking up the
section names. Otherwise we could iterate over a deleted section
and/or ignore its replacement.
Greg Hudson [Tue, 18 Feb 2014 06:14:01 +0000 (01:14 -0500)]
Use system dictionary for db2 tests again
The built-in word list is not long enough for all of the libdb2 tests
to run properly. Revert d21a86e47a7cda29225013e08d060095b94b2ee7 and
go back to using the system dictionary if we find one. However, omit
any lines from the chosen word list which contain non-alphabetical
characters.
Greg Hudson [Mon, 17 Feb 2014 05:18:41 +0000 (00:18 -0500)]
Use TAILQ macros instead of CIRCLEQ in libdb2
The optimizer in gcc 4.8.1 (but not the current gcc head revision)
breaks the queue.h CIRCLEQ macros, apparently due to an overzealous
strict aliasing deduction. Use TAILQ macros in the libdb2 mpool code
instead.
Greg Hudson [Thu, 12 Jun 2014 18:34:26 +0000 (14:34 -0400)]
Remove indent workaround in man page RST sources
docutils 0.10 properly adds indentation to example blocks in man
pages, so we do not need to force an extra indentation level. Get rid
of the workaround wherever we use it.
When processing a continuation token, acc_ctx_cont was dereferencing
the initial byte of the token without checking the length. This could
result in a null dereference.
CVE-2014-4344:
In MIT krb5 1.5 and newer, an unauthenticated or partially
authenticated remote attacker can cause a NULL dereference and
application crash during a SPNEGO negotiation by sending an empty
token as the second or later context token from initiator to acceptor.
The attacker must provide at least one valid context token in the
security context negotiation before sending the empty token. This can
be done by an unauthenticated attacker by forcing SPNEGO to
renegotiate the underlying mechanism, or by using IAKERB to wrap an
unauthenticated AS-REQ as the first token.
David Woodhouse [Tue, 15 Jul 2014 16:54:15 +0000 (12:54 -0400)]
Fix double-free in SPNEGO [CVE-2014-4343]
In commit cd7d6b08 ("Verify acceptor's mech in SPNEGO initiator") the
pointer sc->internal_mech became an alias into sc->mech_set->elements,
which should be considered constant for the duration of the SPNEGO
context. So don't free it.
CVE-2014-4343:
In MIT krb5 releases 1.10 and newer, an unauthenticated remote
attacker with the ability to spoof packets appearing to be from a
GSSAPI acceptor can cause a double-free condition in GSSAPI initiators
(clients) which are using the SPNEGO mechanism, by returning a
different underlying mechanism than was proposed by the initiator. At
this stage of the negotiation, the acceptor is unauthenticated, and
the acceptor's response could be spoofed by an attacker with the
ability to inject traffic to the initiator.
Historically, some double-free vulnerabilities can be translated into
remote code execution, though the necessary exploits must be tailored
to the individual application and are usually quite
complicated. Double-frees can also be exploited to cause an
application crash, for a denial of service. However, most GSSAPI
client applications are not vulnerable, as the SPNEGO mechanism is not
used by default (when GSS_C_NO_OID is passed as the mech_type argument
to gss_init_sec_context()). The most common use of SPNEGO is for
HTTP-Negotiate, used in web browsers and other web clients. Most such
clients are believed to not offer HTTP-Negotiate by default, instead
requiring a whitelist of sites for which it may be used to be
configured. If the whitelist is configured to only allow
HTTP-Negotiate over TLS connections ("https://"), a successful
attacker must also spoof the web server's SSL certificate, due to the
way the WWW-Authenticate header is sent in a 401 (Unauthorized)
response message. Unfortunately, many instructions for enabling
HTTP-Negotiate in common web browsers do not include a TLS
requirement.
Greg Hudson [Thu, 17 Oct 2013 18:02:14 +0000 (14:02 -0400)]
Fix race in util/profile/Makefile.in
$(BUILDTOP)/include/profile.h was being updated by two different
rules, which could collide with make -j. Use a dependency from
includes instead of a redundant rule.
Ben Kaduk [Thu, 3 Jul 2014 14:42:21 +0000 (10:42 -0400)]
Fix build on systems without RTM_OLD*
For example, FreeBSD has removed RTM_OLDADD and RTM_OLDDEL from its API
in March 2014, with the message:
Garbage collect long time obsoleted (or never used) stuff from routing API
Only attempt to define behavior for these cases if they are defined.
Greg Hudson [Wed, 18 Jun 2014 16:58:39 +0000 (12:58 -0400)]
Fix KDC worker process argument parsing
To create worker processes, the KDC shuts down realms, forks off the
worker processes, then reinitializes realms in each child.
Reinitializing realms requires making a second pass over the
command-line arguments. To do this with getopt, optind must be
reinitialized to 1 for each pass; otherwise, no options will be seen
the second time around.
Greg Hudson [Thu, 19 Jun 2014 17:49:16 +0000 (13:49 -0400)]
Handle invalid RFC 1964 tokens [CVE-2014-4341...]
Detect the following cases which would otherwise cause invalid memory
accesses and/or integer underflow:
* An RFC 1964 token being processed by an RFC 4121-only context
[CVE-2014-4342]
* A header with fewer than 22 bytes after the token ID or an
incomplete checksum [CVE-2014-4341 CVE-2014-4342]
* A ciphertext shorter than the confounder [CVE-2014-4341]
* A declared padding length longer than the plaintext [CVE-2014-4341]
If we detect a bad pad byte, continue on to compute the checksum to
avoid creating a padding oracle, but treat the checksum as invalid
even if it compares equal.
CVE-2014-4341:
In MIT krb5, an unauthenticated remote attacker with the ability to
inject packets into a legitimately established GSSAPI application
session can cause a program crash due to invalid memory references
when attempting to read beyond the end of a buffer.
In MIT krb5 releases krb5-1.7 and later, an unauthenticated remote
attacker with the ability to inject packets into a legitimately
established GSSAPI application session can cause a program crash due
to invalid memory references when reading beyond the end of a buffer
or by causing a null pointer dereference.
Nalin Dahyabhai [Wed, 25 Jun 2014 16:56:42 +0000 (12:56 -0400)]
Fix unlikely null dereference in mk_cred()
If krb5_encrypt_keyhelper() returns an error, the ciphertext structure
may contain a non-zero length, but it will already have freed the
pointer to its data, making encrypt_credencpart()'s subsequent attempt
to clear and free the memory fail. Remove that logic.
Greg Hudson [Sat, 14 Jun 2014 15:23:08 +0000 (11:23 -0400)]
Fix error checking in PKINIT authdata creation
In create_identifiers_from_stack: check for allocation errors from
PKCS7_ISSUER_AND_SERIAL_new and M_ASN1_INTEGER_dup. Use
PKCS7_ISSUER_AND_SERIAL_free to more concisely clean up the OpenSSL
issuer variable, and make sure that any partially processed value is
cleaned up on error. Use calloc to allocate krb5_cas so that all of
its pointers are initially nulled, so that
free_krb5_external_principal_identifier can operate on it safely in
case of error. Eliminate the retval variable as it was not used
safely. Rename the error label from "cleanup" to "oom" and separate
it from the successful return path (which has nothing to clean up).
Greg Hudson [Fri, 6 Jun 2014 21:41:51 +0000 (17:41 -0400)]
Improve PKINIT certificate documentation
Describe how to use a commercially-issued server certificate for
anonymous PKINIT. Separate the KDC and client configuration
instructions so that the steps necessary for anonymous PKINIT are not
combined with the additional steps necessary for regular PKINIT.
Describe kpServerAuth as the EKU used in commercially issued server
certificates, not as the value used by Microsoft (which does not
appear to be true according to [MS-PKCA]).
Greg Hudson [Wed, 4 Jun 2014 20:18:21 +0000 (16:18 -0400)]
Add missing profile functions to libkrb5 exports
profile_flush_to_buffer, profile_flush_to_file, profile_free_buffer,
profile_init_flags, and profile_init_vtable are all public profile
functions, but are inaccessible to libkrb5 applications on some
platforms because they were never added to the export list. Add them
now.
(libprofile functions have never been part of the Windows DLL export
list, so do not change krb5_32.def at this time.)
Greg Hudson [Fri, 23 May 2014 23:58:41 +0000 (19:58 -0400)]
Treat LDAP KrbKey salt field as optional
Per the ASN.1 definition, the KrbKey salt field is optional. Since
1.7, we have been treating it as mandatory in the encoder; since 1.11,
we have been treating it as mandatory in the decoder. Mostly by luck,
we have been encoding a salt type of 0 when key_data_ver is 1, but we
really should not be looking at key_data_type[1] or key_data_length[1]
in this situation. Treat the salt field as optional in the encoder
and decoder. Although the previous commit ensures that we continue to
always encode a salt (without any dangerous assumptions about
krb5_key_data constructors), this change will allow us to decode key
data encoded by 1.6 without salt fields.
This also fixes issue #7918, by properly setting key_data_ver to 2 if
a salt type but no salt value is present. It is difficult to get the
decoder to actually assign 2 to key_data_ver just because the salt
field is there, so take care of that in asn1_decode_sequence_of_keys.
Adjust kdbtest.c to match the new behavior by setting key_data_ver to
2 in both test keys.
Greg Hudson [Sun, 25 May 2014 02:58:26 +0000 (22:58 -0400)]
Always include salt in LDAP KrbKey encoding
In the LDAP KDB module, ensure that every krb5_key_data we pass to
asn1_encode_sequence_of_keys includes a salt type, for compatibility
with the decoder in unpatched krb5 1.11 and 1.12.
This is not a behavior change by itself; since 1.7 the encoder has
always included a KrbKey salt field because it erroneously treats that
field as non-optional. (Luckily, the encoded salt always happens to
have salt type 0 because krb5_key_data constructors start with zeroed
memory.) The next commit will fix the encoder and decoder to properly
treat the KrbKey salt field as optional, so we need this change to
ensure that our encodings remain compatible.
Also fix the ASN.1 tests to set key_data_ver correctly for the sample
test key data.
Greg Hudson [Thu, 22 May 2014 23:18:34 +0000 (19:18 -0400)]
Don't blindly use PKCS11 slot IDs in PKINIT
Passing invalid slot IDs to C_OpenSession can cause some PKCS #11
implementations (such as the Solaris one) to crash. If a PKINIT
identity specifies a slotid, use it to filter the result of
C_GetSlotList, but don't try it if it does not appear in the list.
Greg Hudson [Tue, 20 May 2014 18:52:44 +0000 (14:52 -0400)]
Add tests for krb5int_c_combine_keys
krb5int_c_combine_keys is used only by SAM-2 preauth with neither the
send-encrypted-sad nor use-sad-as-key flags, so it isn't covered by
any automated function tests. Add some unit tests to make sure that
it works and returns the expected results for two randomly generated
test vectors.
Ken Hornstein [Tue, 20 May 2014 18:50:22 +0000 (14:50 -0400)]
Fix krb5int_c_combine_keys
When krb5int_c_combine_keys was updated to use the new crypto
interface, a small bug was introduced. It turns out the temporary
keyblock created needs to have its enctype set; otherwise, when
krb5int_derive_keyblock() is called later, it will fail with
KRB5_BAD_ENCTYPE.
Tomas Kuthan [Thu, 10 Apr 2014 13:16:06 +0000 (15:16 +0200)]
Check for asprintf failure in kdb5_util create
In add_admin_princ, remove build_name_with_realm and call asprintf
directly instead. Check for asprintf failure to avoid passing an
undefined pointer to krb5_parse_name.
Tomas Kuthan [Wed, 2 Apr 2014 15:48:04 +0000 (17:48 +0200)]
Fix leak in kadm5_flush with LDAP KDB
Due to an inverted test in adb_policy_init, kadm5_flush calls
krb5_db_open twice. With the DB2 KDB module, the second open is a
no-op, but with the LDAP module, a new DB handle is allocated and the
old one is leaked.
Greg Hudson [Fri, 28 Mar 2014 16:33:43 +0000 (12:33 -0400)]
Get getopt from unistd.h (not getopt.h) in tests
POSIX defines getopt to be declared in unistd.h, and HP-UX (as of
version 11.31) does not appear to have getopt.h. In test programs
which currently include getopt.h and aren't currently built on
Windows, include unistd.h or just assume we will get it via k5-int.h.
Tomas Kuthan [Thu, 6 Mar 2014 12:05:24 +0000 (13:05 +0100)]
Fix GSS krb5 initial sequence number gap handling
Since #2040, the dummy queue element inserted by g_order_init no
longer compares less than the initial sequence number, so we fail when
the first few sequence numbers are received out of order. Properly
detect when a sequence number fits between the dummy element and the
first real queue element.
Nalin Dahyabhai [Thu, 20 Feb 2014 21:01:49 +0000 (16:01 -0500)]
Fix returning KDB_NOENTRY in find_alternate_tgs()
After searching for a cross-realm TGS entry to provide to a client as a
referral, if we're all set to return a success code but aren't actually
returning an entry, we should be returning an error. We might not do so
because we don't compare the right value against NULL.
This corrects an error in a redundant check in the patch for
CVE-2013-1417. The error in the check cannot occur in practice
because the other part of the patch for CVE-2013-1417 prevents it, but
static analyzers can flag the erroneous check.
Greg Hudson [Thu, 13 Mar 2014 22:34:22 +0000 (18:34 -0400)]
Fix unlikely double free in PKINIT client code
In pa_pkinit_gen_req, if the cleanup handler is reached with non-zero
retval and non-null out_data, out_data is freed, then dereferenced,
then freed again. This can only happen if one of the small fixed-size
malloc requests fails after pkinit_as_req_create succeeds, so it is
unlikely to occur in practice.
Nalin Dahyabhai [Mon, 17 Feb 2014 22:14:20 +0000 (17:14 -0500)]
Fix memory leak in krb5_verify_init_creds
When copying most of the credentials from one cache to another in
copy_creds_except (called from get_vfy_cred, from
krb5_verify_init_creds), we need to free all of the credentials that
we read, not just the ones we copied.
Nalin Dahyabhai [Tue, 11 Mar 2014 17:26:32 +0000 (13:26 -0400)]
Initialize err variable in krb5_sendto_kdc
When we get an KRB5_KDC_UNREACH error back from k5_sendto, we check if
the err variable we passed for use by our message handler has been set
to KDC_ERR_SVC_UNAVAILABLE. If k5_sendto doesn't receive any
response, though, the handler isn't called, so we're reading an
uninitialized variable. Initialize it to a value other than
KDC_ERR_SVC_UNAVAILABLE to be sure.
[ghudson@mit.edu: initialize err just before calling k5_sendto; edit
commit message]
Greg Hudson [Fri, 7 Mar 2014 15:37:48 +0000 (10:37 -0500)]
Update iprop_master_ulogsize documentation
When we removed the maximum number of ulog entries (#7368), we did not
update the documentation for that parameter in kdc.conf. Reported by
Richard Basch.
Jeff D'Angelo [Fri, 28 Feb 2014 14:47:30 +0000 (09:47 -0500)]
Correct docs for "kdb5_util load" switches
Remove obsolete parenthetical statement in the description of the
"-update" switch to "kdb5_util load". Using the "-update" flag to
load a second dump made using the "-ov" switch is no longer necessary
now that the "-r13" format is the default. Add statement that the
"-b7" dump format was the default for versions prior to 1.2.2 (to
match the statement from "dump" section).
Tom Yu [Tue, 25 Feb 2014 22:35:35 +0000 (17:35 -0500)]
Avoid duplicate "/etc/krb5.conf" in profile path
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
Nate Rosenblum [Mon, 23 Dec 2013 21:21:44 +0000 (13:21 -0800)]
Support referrals from Windows Server 2003
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests. Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.
[tlyu@mit.edu: style, comments, and commit message]
Greg Hudson [Tue, 4 Feb 2014 02:11:34 +0000 (21:11 -0500)]
Properly reflect MS krb5 mech in SPNEGO acceptor
r25590 changed negotiate_mech() to return an alias into the acceptor's
mech set, with the unfortunate side effect of transforming the
erroneous Microsoft krb5 mech OID into the correct krb5 mech OID,
meaning that we answer with a different OID than the requested one.
Return an alias into the initiator's mech set instead, and store that
in mech_set field the SPNEGO context. The acceptor code only uses
mech_set to hold the allocated storage pointed into by internal_mech,
so this change is safe.
Greg Hudson [Thu, 16 Jan 2014 16:32:10 +0000 (11:32 -0500)]
Avoid assertion failure in error_message
r17942 added a call to get_thread_buffer in the first part of
error_message, prior to the call to com_err_initialize. This can
cause an assertion failure from k5_getspecific if error_message is
called on a system error before any other com_err functions are
called. Move the initialization call earlier to prevent this.
Tom Yu [Fri, 21 Feb 2014 20:04:10 +0000 (15:04 -0500)]
Fix memory leak in patch for #7831
The patch for #7831 included a change to do_as_req.c that was only
needed in krb5-1.12; applying it to krb5-1.11 duplicated a block of
code and led to a memory leak.
Tom Yu [Tue, 14 Jan 2014 20:43:35 +0000 (15:43 -0500)]
Remove mentions of krb5-send-pr
Start the process of deprecating krb5-send-pr. In practice, it causes
frustration for some users, and free-form email is good enough for
most bug reports.
Continue to install krb5-send-pr for now, but plan to remove it from
the tree in the future, probably replaced by a script that instructs
the user to send email manually.
Tom Yu [Thu, 16 Jan 2014 20:18:46 +0000 (15:18 -0500)]
Test bogus KDC-REQs
Send encodings that are invalid KDC-REQs, but pass krb5_is_as_req()
and krb5_is_tgs_req(), to make sure that the KDC recovers correctly
from failures in decode_krb5_as_req() and decode_krb5_tgs_req(). Also
send an encoding that isn't a valid KDC-REQ.
rbasch [Mon, 16 Dec 2013 15:54:41 +0000 (10:54 -0500)]
Log service princ in KDC more reliably
Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.
do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.
do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.
[tlyu@mit.edu: commit message; fix TGS to catch more error cases]
Tom Yu [Thu, 16 Jan 2014 19:39:53 +0000 (14:39 -0500)]
Add a test program for krb5_copy_context
This test program isn't completely proof against the kind of mistakes
we've made with krb5_copy_context in the past, but it at least
exercises krb5_copy_context and can detect some kinds of bugs.
Tom Yu [Thu, 16 Jan 2014 19:34:54 +0000 (14:34 -0500)]
Fix krb5_copy_context
krb5_copy_context has been broken since 1.8 (it broke in r22456)
because k5_copy_etypes crashes on null enctype lists. Subsequent
additions to the context structure were not reflected in
krb5_copy_context, creating double-free bugs. Make k5_copy_etypes
handle null input and account for all new fields in krb5_copy_context.
Reported by Arran Cudbard-Bell.
Greg Hudson [Tue, 17 Dec 2013 21:56:41 +0000 (16:56 -0500)]
Clarify klist -s documentation
The documentation for klist -s erroneously suggests that it doesn't
affect the exit status behavior and that it merely checks for the
existence of the ccache (only mentioning the expired ticket check at
the end). Make it clearer and simpler, but avoid going into a lot of
detail about the nature of the expiration check.
Greg Hudson [Mon, 16 Dec 2013 20:37:56 +0000 (15:37 -0500)]
Fix GSS krb5 acceptor acquire_cred error handling
When acquiring acceptor creds with a specified name, if we fail to
open a replay cache, we leak the keytab handle. If there is no
specified name and we discover that there is no content in the keytab,
we leak the keytab handle and return the wrong major code. Memory
leak reported by Andrea Campi.
Simo Sorce [Fri, 13 Dec 2013 17:00:41 +0000 (12:00 -0500)]
Fix memory leak in SPNEGO initiator
If we eliminate a mechanism from the initiator list because
gss_init_sec_context fails, free the memory for that mech OID before
removing it from the list.
Greg Hudson [Tue, 10 Dec 2013 17:04:18 +0000 (12:04 -0500)]
Fix SPNEGO one-hop interop against old IIS
IIS 6.0 and similar return a zero length reponse buffer in the last
SPNEGO packet when context initiation is performed without mutual
authentication. In this case the underlying Kerberos mechanism has
already completed successfully on the first invocation, and SPNEGO
does not expect a mech response token in the answer. If we get an
empty mech response token when the mech is complete during
negotiation, ignore it.
[ghudson@mit.edu: small code style and commit message changes]
Greg Hudson [Fri, 6 Dec 2013 01:32:05 +0000 (20:32 -0500)]
Fix S4U2Self against non-FAST KDCs
When we added FAST TGS support in 1.11, we broke S4U2Self against KDCs
which don't support FAST, because the S4U2Self padata is only present
within the FAST request. For now, duplicate that padata in the outer
request so that both FAST and non-FAST KDCs can see it.
Simo Sorce [Tue, 17 Dec 2013 21:15:14 +0000 (16:15 -0500)]
Let SPNEGO display mechanism errors
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
Tom Yu [Tue, 26 Nov 2013 22:57:51 +0000 (17:57 -0500)]
Improve default ccache name API documentation
Document the lifetime and caching behavior of the
krb5_cc_default_name() return value. Document that
krb5_cc_set_default_name() may be called with NULL to purge the cached
value. Correct a typo in the krb5_cc_default() summary and explicitly
reference krb5_cc_default_name().
projects / thirdparty / krb5.git / log
