Slight revisions to create_workers() in the KDC:
* Use calloc() to allocate the pids array; squashes a Coverity false
positive.
* Don't leak the pids array in worker processes.
* Use consistent terminology in comments.
Add support for a krb5kdc -w option which causes the KDC to spawn
worker processes which can process requests in parallel. See also:
http://k5wiki.kerberos.org/wiki/Projects/Parallel_KDC
In the PKINIT OpenSSL crypto code, use a signed int to hold the result
of X509_get_ext_by_NID so we can detect negative return values.
Reported by nalin@redhat.com.
Add a license statement to the new extern.h in kinit, use an include
blocker which does not impinge on the system's symbol namespace, and
use the recommended formatting for function prototypes.
Sam Hartman [Wed, 15 Sep 2010 17:13:41 +0000 (17:13 +0000)]
kinit: add KDB keytab support
This implements
http://k5wiki.kerberos.org/Projects/What_does_God_need_with_a_password.
If the KDB keytab is selected by command line options, then kinit will
register the KDB keytab and open the database. This permits an
administrator to obtain tickets as a user without knowing that user's
password.
As a result kinit links against libkadm5srv and libkdb5. Discussion is
ongoing about whether this is desirable or about whether two versions
of kinit are required.
Sam Hartman [Wed, 15 Sep 2010 17:13:23 +0000 (17:13 +0000)]
kdb: store mkey list in context and permit NULL mkey for kdb_dbe_decrypt_key_data
Previously, code needed to run a loop to find the current master key,
possibly fetch a new master key list and try finding the master key
again around each key decryption. This was not universally done;
there are cases where only the current master key was used. In
addition, the correct ideom for decrypting key data is too complicated
and is potentially unavailable to plugins that do not have access to
the master key. Instead, store the master key list in the dal_handle
whenever it is fetched and permit a NULL master key for
krb5_dbe_decrypt_key_data.
* Remove APIs for krb5_db_{get|set}_mkey_list
* krb5_db_fetch_mkey_list: memoize master key list in dal_handle
* krb5_db_free_mkey_list: don't free the memoized list; arrange for it to be freed later
* krb5_dbe_decrypt_key_data: Search for correct master key on NULL argument
* change call sites to take advantage
Luke Howard [Thu, 9 Sep 2010 15:54:32 +0000 (15:54 +0000)]
Allow a zero checksum type to be passed into krb5_k_verify_checksum_iov;
this indicates that the mandatory checksum type for the key is to be used.
This interface is necessary because there is no public interface through
which the mandatory checksum type for an encryption type can be determined.
Luke Howard [Thu, 9 Sep 2010 15:39:47 +0000 (15:39 +0000)]
krb5_k_make_checksum will use the mandatory checksum type if 0 is
passed in as the checksum type; however krb5_k_make_checksum_iov
does not support this. Add the same logic for the behaviour is
consistent.
Merge the camellia-ccm branch to trunk. Since there are no IANA
assignments for Camellia-CCM enctypes or cksumtypes yet, they are
disabled in a default build. They can be made available by defining
(via CPPFLAGS) local-use enctype numbers for the enctypes and
cksumtypes.
Ensure valid key in krb5int_yarrow_cipher_encrypt_block
Under low memory conditions (or when testing memory allocation failures),
the key pointer will be 0 - and not initialized. Test and return failure
before deref a NULL.
Greg Hudson [Sun, 29 Aug 2010 15:32:04 +0000 (15:32 +0000)]
Fix an account lockout error-handling regression by converting the
result of krb5_db_check_policy_as/tgs from a krb5_error_code to a
protocol error number.
Greg Hudson [Tue, 24 Aug 2010 22:45:37 +0000 (22:45 +0000)]
In the LDAP KDB module's populate_krb5_db_entry, fix the checks for
the KDB_PRINC_EXPIRE_TIME_ATTR and KDB_PWD_EXPIRE_TIME_ATTR flags so
that they properly succeed when the flags are set. Bug report from
Rob Crittenden, patch from nalin@redhat.com.
Greg Hudson [Tue, 24 Aug 2010 21:52:32 +0000 (21:52 +0000)]
add profile include support
Add support for "include" and "includedir" directives in profile files.
See http://k5wiki.kerberos.org/wiki/Projects/Profile_Includes for more
details.
Greg Hudson [Mon, 23 Aug 2010 22:03:25 +0000 (22:03 +0000)]
Fail properly when profile can't be accessed
Make profile_init() return EACCESS or EPERM if one of those errors was
encountered when failing to open any of the specified profile files.
This causes krb5_init_os_context() to fail properly when krb5.conf is
unreadable, instead of treating that situation like a nonexistent
krb5.conf.
The library will continue to soldier on if one profile file is
readable and another is not. This is deliberate as of r14116, whether
or not it's a good idea.
Greg Hudson [Thu, 19 Aug 2010 16:38:30 +0000 (16:38 +0000)]
Allow krb5_gss_register_acceptor_identity to unset keytab name
krb5_gss_register_acceptor_identity sets a mutex-locked global (not
thread-specific) variable containing a keytab name. This change
allows the variable to be unset by passing a null value.
A more elegant long-term solution to the problem is Heimdal's
gss_krb5_import_cred function.
Greg Hudson [Thu, 12 Aug 2010 17:39:09 +0000 (17:39 +0000)]
In AS replies, set the key-expiration field to the minimum of account
and password expiration time as specified in RFC 4120. Reported by
Mary Cushion <mary@eiger.demon.co.uk>.
Our ancient RPC value internally decodes 32-bit wire values into a
signed long, which is then casted to the appropriate type.
xdr_u_int() contains a check intended to catch wire values that don't
fit into a u_int on platforms with 16-ints, but on platforms with
64-bit longs it was failing on values of 2^31 or larger because the
sign-extended value appeared larger than UINT_MAX. Fix the check by
casting the value to uint32_t before comparing.
This bug, in combination with a poor choice of types in
kadm_rpc_xdr.c's xdr_krb5_enctype(), prevented negative enctype values
from being transported properly in kadmin's change_password command
result.
Revert the part of r24157 which added the dal_version argument to the
init_library interface. Instead use the already existing maj_ver
field of the DAL vtable to detect incompatibilities. Since maj_ver
is a short int, use an incrementing number instead of a date for the
major version.
Allow Microsoft HMAC-MD5 checksum types to use non-RC4 keys
In PAC signatures, the hmac-md5 checksum type can be used with AES
keys. Make this work by removing the enc field from the hmac-md5 and
md5-hmac checksum types, and adding a check in
krb5int_hmacmd5_checksum() for a null key or a key which is longer
than the hash block size (64 bytes for MD5). The checksum algorithm
only uses the key bits; it does invoke the cipher.
The checksum type names are kind of wrong, but we'll leave them alone
for compatibility. The descriptions are updated.
Add check_allowed_to_delegate to the DAL with a corresponding libkdb5
API, replacing the last method (CHECK_ALLOWED_TO_DELEGATE) of
db_invoke. Remove db_invoke since it no longer has any methods.
Add audit_as_req to the DAL with a corresponding libkdb5 API,
replacing the AUDIT_AS_REQ method of db_invoke. Remove the
AUDIT_TGS_REQ method of db_invoke without adding a replacement, as
there was no KDC support for it. (It can be added at a later time if
necessary.)
Add check_policy_as and check_policy_tgs to the DAL table with
corresponding libkdb5 APIs, replacing the CHECK_POLICY_AS and
CHECK_POLICY_TGS methods of db_invoke.
Create a KRB5_KDB_FLAG_ALIAS_OK to control whether plugin modules
should return in-realm aliases. Set it where appropriate, and use it
in the LDAP module instead of intuiting the result based on other
flags.
Remove count parameters from get_principal, put_principal,
free_principal, delete_principal, and get_policy. Make get_principal
allocate the DB entry container. Fold krb5_db_get_principal_ext into
krb5_db_get_principal.
Make the APIs for iterate, get_master_key_list, set_master_key_list,
and promote_db return KRB5_PLUGIN_OP_NOTSUPP if the KDB module does
not implement them, avoiding the need for stub default
implementations.
Use KRB5_PLUGIN_OP_NOTSUPP uniformly as the error code for operations
not supported by a KDB module. (Previously KRB5_KDB_DBTYPE_NOSUP was
used in some cases and KRB5_PLUGIN_OP_NOTSUPP in others.)
Remove verify_master_key from the DAL table, as well as its associated
libkdb5 interface. Callers can (and mostly already do) use
krb5_fetch_mkey_list to verify master keyblocks. Adjust tests/create,
tests/verify, and kdb5_util dump to do so.
Remove db_ and similar prefixes from DAL function names, for
consistency. Follow suit inside the DB2 and LDAP modules. (No change
to the caller-facing libkdb5 APIs.)
Remove the set_master_key and get_master_key DAL interfaces and their
corresponding libkdb5 APIs, as they were not productively used. In
kdb5_ldap_util, stop using the realm data's mkey field as a container
to communicate the master key to static helper functions, since the
field no longer exists.
Remove errcode_2_string and release_errcode_string from the DAL table,
and stop using them in kdb5.c. Modules can simply set error messages
in the krb5 context on error.
Remove db_supported_realms and db_free_supported_realms from the DAL
table, and remove the corresponding libkdb5 interfaces (which don't
seem to have been in the library export table).
Add KRB5_KDB_API_VERSION to allow callers to adjust to incompatible
changes in libkdb; to be kept in sync with the libkdb major version,
which is bumped to 5 in anticipation of other changes.
Add KRB5_KDB_DAL_VERSION to allow database modules to detect when they
are mismatched with the KDB version. Since KDB modules are often
developed concurrently with trunk code, this is defined to be the date
of the last incompatible DAL change. The DAL version is passed to the
init_library DAL function; the module should check it against the value
of KRB5_KDB_DAL_VERSION it was compiled with and return
KRB5_KDB_DBTYPE_MISMATCH if it doesn't match.
In kpropd, when getting a wildcard address to listen on, try IPv6
explicitly (with AI_ADDRCONFIG specified where available, to avoid
IPv6 on hosts with no IPv6 interface) and then fall back to IPv4.
Only set IPV6_V6ONLY on the listener socket if the resulting address
is IPv6.
Note: we have mostly confirmed that OpenBSD does not have dual-stack
support, meaning that it would be better to open separate IPv4 and
IPv6 listener sockets, as we do in krb5kdc and kadmind.
Unfortunately, the complicated iprop retry-and-backoff logic makes
this less than straightforward.
projects / thirdparty / krb5.git / log
