Age | Commit message (Collapse) | Author | Files | Lines |
|
Remove the invariant that buf.data is always zero-terminated, to allow
marshalling of binary data into precisely allocated fixed regions.
Add k5_buf_cstring() to zero-terminate the buffer and retrieve the
data pointer. Adjust all callers that build C strings appropriately.
Add a k5_buf_add_byte() convenience wrapper alongside the integer
marshalling wrappers. Change k5_buf_init_fixed() to accept a void
pointer so it can more conveniently be used with uint8_t arrays.
|
|
Allow ccache types to implement atomic replacement via a new replace
method (replacing the unused "move" vtable slot). Make krb5_cc_move()
use this method when possible, falling back to non-atomic replacement.
Implement atomic replacement for FILE, DIR, MEMORY, and KCM (using a
new opcode, falling back when it is not implemented).
Use krb5_cc_move() in get_in_tkt.c when an output ccache is specified,
in kinit for ticket validation and renewal, and in kvno --out-cache.
Add a test program to exercise concurrent krb5_get_credentials() and
cache refresh.
This commit does not implement atomic replacement for KEYRING or for
gss_store_creds().
ticket: 7707
|
|
[ghudson@mit.edu: added tests]
ticket: 9012 (new)
|
|
Fix three Windows-specific argument type errors, including a crash bug
in the default replay cache type. Change the compiler flags to treat
several argument type warnings as errors.
The replay cache bug was reported by Thomas Wagner.
ticket: 9005 (new)
tags: pullup
target_version: 1.19-next
target_version: 1.18-next
|
|
Stop using macros for the newline and tab dividers between lines of
usage messages in kinit and kvno, so that gettext can extract the full
string.
|
|
Command-line options are described in the following places:
- .rst file "SYNOPSIS" section
- .rst file "OPTIONS" section
- parameters to getopt()
- results of getopt() that are actually handled
- a usage() or xusage() function
- occasionally, a long form in usage()/xusage()
- occasionally, libss subcommand specifications
Over time, these have drifted. Make an effort to correct this drift,
marking deprecated options as such. For consistency, remove mention
of long arguments that have an equivalent short form.
ticket: 8987 (new)
tags: pullup
target_version: 1.19-next
|
|
When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)
Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.
ticket: 8332
tags: pullup
target_version: 1.19
|
|
Add missing kvno options to the kvno.rst synopsis and option
descriptions, and to the kvno usage message. Remove mention of '-h'
(help text), from kvno.rst as it is an implicit option. Note that the
three new caching options were added in release 1.19.
Indicate the two exclusions (-u/-S and --u2u with the S4U2Self options)
and dependency (-P on S4U2Self) where they are missing.
Switch xusage() to print only a single localized string, rather than
running each line of output through localization separately.
Leave kvno -C undocumented for now, as the semantics of
KRB5_GC_CANONICALIZE are minimally useful and likely to change.
[ghudson@mit.edu: edited documentation and commit message]
ticket: 7476
tags: pullup
target_version: 1.18-next
|
|
Add the flags --cached-only and --no-store, which pass the
corresponding options to krb5_get_credentials(). Add the option
--out-cache to write the retrieved credentials to a specified output
cache.
Add a Python test script for kvno command-line options, including
tests for the new options.
ticket: 8917 (new)
|
|
Commit d439e370b70f7af4ed2da9c692a3be7dcf7b4ac6 (ticket 8800) caused
ksu to ignore KRB5CCNAME from the environment. ksu uses euid
switching to access the source cache, and should honor KRB5CCNAME to
find the ccache to potentially authorize the su operation.
Add a helper function init_ksu_context() to create the ksu context,
with explicit code to honor KRB5CCNAME using
krb5_cc_set_default_name().
ticket: 8895
tags: pullup
target_version: 1.18-next
|
|
Correct comment spelling errors detected using codespell.
Reported by Jens Schleusener.
|
|
|
|
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]
ticket: 8479
|
|
If the ticket server differs from the credential server, display it as
an extra field. This happens most commonly when the credential is
cached under the referral realm.
ticket: 8811 (new)
|
|
ksu uses CMD_PATH to expand command names in .k5users. Include the /usr
tree and .../sbin variants. Drop nonstandard /local.
ticket: 8807 (new)
|
|
|
|
Add kvno -I to do S4U2Self without treating the principal as an
enterprise name (as -U does). Add kvno -F to do S4U2Self with an
X.509 certificate.
[ghudson@mit.edu: changed code to read cert in PEM format; updated RST
man page instead of generated nroff file, and regenerated nroff file]
ticket: 8778 (new)
|
|
Preface ETYPE_DEPRECATED enctypes with "DEPRECATED:" in klist output,
KDC logs, and kadmin interactions. Also complain in krb5kdc when the
stash file has a deprecated enctype or a deprecated enctype is
requested with -k.
ticket: 8773 (new)
|
|
Ilja Van Sprundel reported a list of memset() calls which gcc
optimizes out. In krb_auth_su.c, use zap() to clear the password, and
remove two memset() calls when there is no password to clear. In
iakerb.c, remove an unnecessary memset() before setting the only two
fields of the IAKERB header structure. In svr_principal.c, use
krb5_free_key_keyblock_contents() instead of hand-freeing key data.
In asn1_k_encode.c, remove an unnecessary memset() of the kdc_req_hack
shell before returning.
|
|
If list_union() fails due to an allocation failure, then close_time()
will attempt to fclose users_fp and login_fp a second time.
This bug was originally introduced in commit
be95b52c2d0c21b1fe92f9f90166fc2fa8eecc95, and has been present in
every krb5 release since 1.1.
ticket: 8768 (new)
tags: pullup
target_version: 1.17
target_version: 1.16-next
target_version: 1.15-next
|
|
Add ksu -F and -P options to explicitly not request forwardable and
proxiable tickets.
ticket: 8761
|
|
Add a --u2u option to kvno, with an argument to specify a credential
cache containing a krbtgt for the server principal. Move the
-allow_svr test from appl/user_to_user to a new test script and add
additional tests. Suggested by Chris Hecker.
ticket: 8730 (new)
|
|
Add an option to destroy a cache within a collection by principal
name. This option can be used together with -c to specify the
collection. Also document that kdestroy -A and -c can be used
together (ticket 8602).
ticket: 8724 (new)
|
|
It's been policy for a while now not to create "dead hunks" like
these. A great deal of this code simply doesn't work because it
hasn't been kept up-to-date, and may never have worked. Eliminate
these dead hunks along with the complexity to support them.
|
|
'register' is a reserved and unused keyword in C++17 so having it
present in the public headers presents a a compatibility issue. Also
in C the 'register' keyword is mostly obsolete, so remove all uses of
it.
[ghudson@mit.edu: adjusted style of some of the affected lines]
|
|
Commit 8f9ade8ec50cde1176411085294f85ecfb2820a4 (ticket 8391) moved
the built-in getopt() and getopt_long() implementations from a static
library in util/windows to util/support, where (on Windows) it is
built into k5sprt32.dll or k5sprt64.dll. The getopt() interface uses
global variables opterr, optind, optopt, and optarg, each renamed via
macro to have a k5_ prefix when we use the built-in implementation.
Data objects exported from DLLs need special handling in Windows; they
must be marked as DATA in the DLL .def file, and they must be declared
with "__declspec(dllimport)" in calling code. Without this handling,
optind begins with a garbage value and getopt_long() returns -1
immediately, so client programs always behave as if they have no
arguments.
Stop unnecessarily declaring optind and optarg in client programs.
Declare the getopt() global variables with __declspec(dllimport) on
Windows, except when compiling getopt.c itself. When creating
libkrb5support.exports on Windows (this file is later used by
lib/Makefile.in to create k5sprt32.def), add a DATA tag to the data
objects.
ticket: 8684 (new)
tags: pullup
target_version: 1.16-next
target_version: 1.15-next
|
|
If non-root user attempts to ksu but is denied by policy, log to
syslog at LOG_WARNING in keeping with other failure messages.
ticket: 8270
|
|
The SCLIB make variable was introduced in commit
c53f7fd2ca7d605397091294683eaf63d6b922f2 and obsoleted in commit
1f0a33eba649194f1775210ca92a66df6a8b47c5. Remove the remaining traces
of it.
|
|
For improved auditability, check for a zero argc value earlier in
main() so that the first two calls to com_err() can't pass a NULL
whoami value--which would be harmless, but that may not be obvious to
a reader.
ticket: 8661
|
|
Most programs in the tree will perform a null dereference when argc is
zero, but as a setuid program ksu should be extra careful about memory
errors, even if this one is harmless. Check and exit with status 1
immediately.
ticket: 8661
|
|
In kinit, if we recreate the context using kinit_kdb_init(), also
reset the global errctx so that we use the new context to retrieve
extended error messages.
ticket: 8652 (new)
|
|
Although timestamps above 2^31-1 are now valid, intervals exceeding
2^31-1 seconds may be treated incorrectly by comparison operations.
The initially computed interval in kdc_get_ticket_endtime() could be
negative if the requested end time is far in the future, causing the
function to yield an incorrect result. (With the new larger value of
kdc_infinity, this could specifically happen if a KDC-REQ contains a
zero till field.) Cap the interval at the maximum valid value.
Reported by Weijun Wang.
Avoid delta comparisons in favor of timestamp comparions in
krb5int_validate_times(), ksu's krb5_check_exp(), and clockskew
checks.
Also use a y2038-safe timestamp comparison in set_request_times() when
comparing the requested renewable end time to the requested ticket end
time.
ticket: 8352
|
|
In klist and kdestroy, if a ccache name is specified, set it as the
default ccache name, simplifying the code and making klist -l, klist
-A, and kdestroy -A can work with a specified ccache name. Reported
by Robbie Harwood.
ticket: 8602 (new)
|
|
Adjust the style of kcpytkt, kdeltkt, kdestroy, kinit, klist, kpasswd,
and kvno to conform to current coding practices.
[ghudson@mit.edu: made additional style and naming changes; edited
commit message]
|
|
ksetpwd was added in commit ec50322c3076ab4517fb4fb5cc3a931f6adb4f20
but is not installed as it was "not of release quality yet." It has
not materially improved since then, and under current policy we do not
include unfinished code in the tree, so remove it.
|
|
Where krb5_int32 is used to hold the number of seconds since the
epoch, use krb5_timestamp instead.
|
|
Wherever we manipulate krb5_timestamp values using arithmetic,
comparison operations, or conversion to time_t, use the new helper
functions in k5-int.h to ensure that the operations work after y2038
and do not exhibit undefined behavior. (Relying on
implementation-defined conversion to signed values is okay as we test
that in configure.in.)
In printf format strings, use %u instead of signed types. When
exporting creds with k5_json_array_fmt(), use a long long so that
timestamps after y2038 aren't marshalled as negative numbers. When
parsing timestamps in test programs, use atoll() instead of atol() so
that positive timestamps after y2038 can be used as input.
In ksu and klist, make printtime() take a krb5_timestamp parameter to
avoid an unnecessary conversion to time_t and back.
As Leash does not use k5-int.h, use time_t values internally and
safely convert from libkrb5 timestamp values.
ticket: 8352
|
|
Move the kvno loop body into a helper function to reduce indentation
and make freeing temporary values easier.
|
|
In do_k5_kvno(), free allocated values on success as well as failure.
In t_kdb.py, run kvno with multiple arguments to manifest this leak in
asan and valgrind. Reported by Cel Skeggs.
ticket: 8558
|
|
ttyname() is declared in unistd.h. Redeclaring it causes an
issue building with clang fortify on Chrome OS.
ticket: 8518 (new)
|
|
|
|
|
|
Eliminate some memory leaks which should not affect normal operation,
but which make it harder to detect more serious memory leaks.
In kdb5_util, start using the already existing quit() function and
remove redundant DB and master key cleanup performed by individual
commands. In kdb5_destroy(), use util_context instead of creating a
new one. Add an mkey_fullname global variable and use it to make
a bunch of krb5_db_setup_mkey_name() calls unnecessary.
|
|
|
|
Double-colon rules allow the flexibility to specify commands in
multiple places, but they also make the order of commands and
dependencies dependent on the order of declarations in the Makefile.
Convert all of our double-colon rules to single-colon rules, with the
exception of "clean-unix" and "clean-windows" which have commands
defined in both post.in and in numerous Makefile.in files.
|
|
kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be
decrypted, or when encrypted timestamp preauth fails against an MIT
krb5 1.14 or earlier KDC. Expand this check to include general
preauth failures reported by the KDC, but only if a password was
prompted for.
ticket: 8465 (new)
|
|
When using a collection ccache, a user accustomed to the FILE ccache
behavior may not be aware of all active caches, and the default
kdestroy command could make it seem like there is no active cache
left. Print a warning to use -A after kdestroy if there are other
caches.
ticket: 8451 (new)
|
|
Add --request-pac and --no-request-pac options to kinit, to explicitly
request inclusion or exclusion of PAC authorization data.
ticket: 7985
|
|
There should be a newline after "options:" so that the verbose option
is aligned with other options.
ticket: 8392 (new)
target_version: 1.14-next
tags: pullup
|
|
A change introduced in 5fd5a67 resulted in root always being prompted for
the target user password when running ksu. Restore the previous behavior
which is to only prompt if the principal is provided with -n.
ticket: 8396 (new)
target_version: 1.14-next
target_version: 1.13-next
|