Age | Commit message (Collapse) | Author | Files | Lines |
|
Before this patch, libkrad would follow the same exact logic for all
socket types when the retries parameter was non-zero. This meant that
when connecting with SOCK_STREAM, multiple requests were sent in case
of packet drops, which, of course, cannot happen for SOCK_STREAM.
Instead, just disable retries for SOCK_STREAM sockets.
[ghudson@mit.edu: minor wording edits]
(cherry picked from commit 25e0656fdf9862faf9aa91288023776e9a47caad)
ticket: 8229
version_fixed: 1.13.3
status: resolved
|
|
Commit ab009b8568d9b64b7e992ecdb98114e895b4a7ff for issue #7977
changed the signature of krb5_db_iterate() and properly bumped
KRB5_KDB_API_VERSION from 7 to 8. It also changed the signature of
the DAL iterate() function, but did not bump
KRB5_KDB_DAL_MAJOR_VERSION. Bump that version from 4 to 5 now.
(cherry picked from commit 58f6636ba3af96f7b94ba6d4b2c91b61fc85e58a)
ticket: 8066
version_fixed: 1.13.1
status: resolved
|
|
(cherry picked from commit 49f8ec5975df3cb5f204444df2a284b2e662df85)
ticket: 7880
version_fixed: 1.13.1
status: resolved
|
|
Make the KDC default to listening on TCP.
(cherry picked from commit 8d88e2ab00be126237569dc72827ced2ce6b7d04)
ticket: 6731
|
|
Add support to the DB2 KDB back end to optionally release the lock
when calling the iterator callback. This prevents the blocking of
other processes when dumps of large databases are taking place.
Also add support for reversed iteration.
ticket: 7977
|
|
ticket: 7977 (new)
subject: Enable unlocked KDB iteration
|
|
Add a new credential cache type "KCM" which performs cache operations
by speaking to a Heimdal or OS X KCM daemon, via either Unix domain
sockets or (on OS X only) Mach RPC. Add "kcm_socket" and
"kcm_mach_service" profile variables to control the socket path and
bootstrap service name respectively. In ccmarshal.c, add
k5_marshal_mcred to marshal matching credentials in the KCM protocol
representation.
This cache type is not currently supported on Windows, as Windows does
not support Unix domain sockets.
As with the keyring cache type, the lastchange method of this cache
type is mostly useless, reporting only the time of the last change
made through that cache handle. The KCM protocol currently has no
support for obtaining the last change time of the cache itself.
ticket: 7964 (new)
|
|
Make struct k5buf less opaque and get rid of k5buf-int.h. Make it
easy to initialize a k5buf in an error state so that it can be freed
in a cleanup handler. Add a function k5_buf_status which returns 0 or
ENOMEM. Remove k5_buf_data and k5_buf_len. Rename k5_free_buf to
k5_buf_free. Adjust all callers to match.
|
|
Add variables for the SASL mechanism, authcid, authzid, and realm. If
a SASL mechanism is set, perform an interactive bind with that
mechanism. If <sasl/sasl.h> is found at build time, provide the
authcid, authzid, and realm in the interaction function, and provide a
SASL secret read from the service password file (under the authcid) if
we found one.
Based on a patch from Zoran Pericic <zpericic@netst.org>.
ticket: 7944 (new)
|
|
Create an internal pluggable interface "tls" with one in-tree dynamic
plugin module named "k5tls". Move all of the OpenSSL calls to the
plugin module, and make the libkrb5 code load and invoke the plugin.
This way we do not load or initialize libssl unless an HTTP proxy is
used.
ticket: 7929
|
|
On systems where strerror_r is not the POSIX version, define it to
k5_strerror_r. Implement k5_strerror_r in libkrb5support using
strerror_s, strerror, or the GNU strerror_r as appropriate.
ticket: 7961
|
|
In socket-utils.h, replace the socklen macro with an inline function
sa_socklen which always uses the address family, even on platforms
with the sa_len sockaddr field. This removes the need to set sa_len
in socket addresses we construct.
|
|
This functions allows you to pass IPv4 and IPv6 addresses. If no
address is given, t will determine the family by checking the socket
with getsockname.
[ghudson@mit.edu: clarified commit message, split out setport helper,
squashed with next commit, minimized code changes from old
bindresvport, used socket-utils.h helpers]
ticket: 7935 (new)
|
|
Add sa_setport, sa_getport, and sa_is_inet helpers for conveniently
manipulating port numbers on IPv4 and IPv6 socket addresses.
|
|
Fix three mismatched constant names, and properly alphabetize and
columnize the lists of definitions. No functional changes.
|
|
This is just a shorter internal name for krb5_set_error_message. The
full name is so long that we have to wrap error messages more than
we'd like.
|
|
It wasn't being used and it added too much complexity to the
error-handling functions.
|
|
When we connect to a KDC using an HTTPS proxy, check that the naming
information in the certificate matches the name or address which we
extracted from the server URL in the configuration.
ticket: 7929
|
|
Add an http_anchors per-realm setting which we'll apply when using an
HTTPS proxy, more or less mimicking the syntax of its similarly-named
PKINIT counterpart. We only check the [realms] section, though.
ticket: 7929
|
|
Add an 'HTTPS' transport type which connects to an [MS-KKDCP] proxy
server using HTTPS to communicate with a KDC. The KDC's name should
take the form of an HTTPS URL (e.g. "https://proxybox/KdcProxy").
An HTTPS connection's encryption layer can be reading and writing when
the application layer is expecting to write and read, so the HTTPS
callbacks have to handle being called multiple times.
[nalin@redhat.com: use cleanup labels, make sure we always send the
realm name, keep a copy of the URI on-hand, move most of the
conditionally-compiled sections into their own conditionally-built
functions, break out HTTPS request formatting into a helper function,
handle the MS-KKDCP length bytes, update comments to mention specific
versions of the MS-KKDCP spec, differentiate TCP and HTTP trace
messages, trace unparseable responses]
ticket: 7929
|
|
Handle encoding and decoding [MS-KKDCP] proxy messages, including
handling of the additional length bytes. Early versions of [MS-KKDCP]
incorrectly omit that the size of the proxied message is prepended to
the proxied message, as it is when we're using plain TCP, before
encoding the proxy-message structure. This is fixed at least as of
version 2.1 of the spec.
[nalin@redhat.com: add tests]
ticket: 7929
|
|
Add a header containing a declaration for struct k5input and static
inline functions to use it. A k5input structure can be used to safely
extract bytes and integers from a fixed-sized input buffer without
overrunning the buffer. It supports deferred error checking (similar
to k5buf) by returning dummy values and storing a status value in the
input structure.
|
|
Add a new k5_buf method to make room in the buffer for the caller to
fill in.
|
|
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
|
|
k5_change_error_message_code allows an extended error message to be
used when an error code is remapped.
|
|
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
|
|
Make unconditional use of <stdint.h> and fixed-width types such as
uint32_t. k5-plugin.h doesn't use any special integer types, so
remove the conditional include block there. Nothing uses
INT64_FMT/UINT64_FMT, so leave those out of k5-platform.h for now.
|
|
If configure gets run with --sysconfdir=/etc, "/etc/krb5.conf" shows
up twice in the profile path, which causes its contents to be read
twice. This can cause some confusing and possibly problematic
behavior.
Add some logic to configure.in to avoid adding the duplicate entry for
"/etc/krb5.conf".
Reported independently by Denis Vlasenko and Fredrik Tolf.
ticket: 3277
tags: pullup
target_version: 1.12.2
|
|
Get rid of the caller parameter. The kproplog semantics (without -R)
for mapping the ulog are simple and almost completely different from
other users of the ulog, so implement them as a static helper in
kproplog. With hierarchical iprop, kpropd will need the same
semantics as FKCOMMAND and FKADMIND, which were already identical.
Get rid of the db_args parameter, since ulog_map no longer opens the
database after #7552.
Remove an inoperative lseek() call when creating a new ulog file.
Rename ulog_filesize to filesize and compute it from scratch each time
we use it, for easier analysis. If kdb_hmagic is zero, init the ulog
header but don't skip the rest of the function; it's possible that we
need to expand the ulog file. Remove an unneeded conditional before
calling extend_file_to for an existing ulog.
ticket: 7855
|
|
Always lock the ulog when accessing it. We can currently get away
with some laxness on iprop slaves because they are mostly synchronous,
but hierarchical iprop will allow master and slave operations to take
place concurrently, requiring more strict locking.
Add new functions ulog_get_last and ulog_set_last, which access the
ulog header with locking, and use them in kdb5_util and kpropd. Add
locking to ulog_replay and ulog_init_header.
ulog_lock and ulog_sync_header are no longer used outside of kdb_log.c
after these changes, so make them static functions and remove the
ulog_ prefix. Add an unlock_ulog function for clarity.
|
|
Add a new function ulog_get_sno_status, which checks a serial number
and timestamp against the ulog for currency. Use it in kdb5_util dump
and in ulog_get_entries. Adjust parse_iprop_header's contract in
dump.c to better match the ulog_get_sno_status contract.
This change causes some minor behavior differences. kadmind will
check for an empty ulog unless the last serial number matches exactly,
and will never set lastentry when returning UPDATE_FULL_RESYNC_NEEDED
(which was pointless). kdb5_util dump will recognize a dump file as
current if it exactly matches the last serial number, even if the ulog
is empty; it will be more robust in the presence of non-monotonic
clocks; and it will properly lock around the ulog access.
|
|
Since we are no longer treating the update log like a journal (#7552),
we don't need two-stage update logging. In kdb5.c, add an update log
entry after each DB change in one step, without getting an explicit
lock. In kdb_log.c, combine ulog_add_update with ulog_finish_update,
and make ulog_add_update lock the ulog internally.
This change avoids deadlock by removing the only cases where the ulog
is locked before the DB.
ticket: 7861
|
|
Some system configurations expect Unix-domain sockets to live under
/run or /var/run, and not other parts of /var where persistent
application state lives. Define a new directory KDC_RUN_DIR using
$runstatedir (new in autoconf 2.70, so fall back to $localstatedir/run
if it's not set) and use that for the default socket path.
[ghudson@mit.edu: commit message, otp.rst formatting fix]
ticket: 7859 (new)
|
|
Always map the ulog with FKCOMMAND, not FKLOAD which reinitializes the
ulog. Don't reinitialize the ulog until just before calling
krb5_db_promote(). Get rid of FKLOAD since it isn't needed any more;
we can just call ulog_init_header() manually.
|
|
* Don't use "extern" for kdb_log.h prototypes.
* Avoid passing structures by value.
* Avoid the need to cast the result of the INDEX macro, and use char *
instead of unsigned long for pointer arithmetic.
* Reorganize kdb_log.c so static helpers are at the top and don't use
the "ulog_" prefix.
* Get rid of ulog_finish_update_slave since it's more concise to
open-code it in ulog_replay.
* Get rid of ulog_delete_update. In krb5_db_delete_principal, just
call ulog_add_update with kdb_deleted set in upd.
* Modernize coding style of kproplog.c. Use k5memdup0 instead of
snprintf in print_str to convert a byte range to a C string.
Remove an unnecesary textdomain call; libkrb5 takes care of calling
bindtextdomain in the library initializer.
* Modernize coding style of kpropd.c and kprop.c.
No functional changes.
|
|
|
|
To avoid potential recursion we use a thread local variable that tells
us whether the ancestor was called via spnego_gss_display_name(). If
we detect recursion, we assume that we returned a com_err code like
ENOMEM and call error_message(); in the worst case that will result in
an "Unknown error" message.
[ghudson@mit.edu: Edited comments and commit message; removed an
unneeded line of code.]
ticket: 7045
target_version: 1.12.1
tags: pullup
|
|
The vtbl and locate_fptrs fields were ostensibly related to the locate
pluggable interface, but weren't actually used.
|
|
For a long time we have allowed krb5 contexts to be initialized in the
absence of krb5.conf--but only if KRB5_DNS_LOOKUP is defined,
presumably on the theory that no KDCs could be contacted without
either DNS support or profile configuration. But locate plugins could
provide the ability to find KDCs, and some libkrb5 operations (such as
IAKERB initiation) could succeed without needing to locate KDCs.
Also get rid of the profile_in_memory context flag, since we don't use
it any more.
|
|
Refactor and edit sn2princ.c to match current coding style. No
behavior changes, except to be less chatty in trace logs.
|
|
libgssrpc supports two callbacks for gss_accept_sec_context failures
on servers (one for AUTH_GSS and one for AUTH_GSSAPI), which are
IPv4-specific. Provide an alternate version which supplies the
transport handle instead of the address, so that we can get the
address via the file descriptor for TCP connections.
ticket: 7770
|
|
Document the lifetime and caching behavior of the
krb5_cc_default_name() return value. Document that
krb5_cc_set_default_name() may be called with NULL to purge the cached
value. Correct a typo in the krb5_cc_default() summary and explicitly
reference krb5_cc_default_name().
ticket: 7775 (new)
target_version: 1.12
tags: pullup
|
|
We never check its return value (causing clang to emit warnings),
and its use is primarily in cases where we should continue processing
in the event of failure. Just ignore errors from the underlying
fcntl() call (if present) and treat this operation as best-effort.
The #if 0 code should probably be removed.
|
|
Per project http://k5wiki.kerberos.org/wiki/Projects/Audit
The purpose of this project is to create an Audit infrastructure to monitor
security related events on the KDC.
The following events are targeted in the initial version:
- startup and shutdown of the KDC;
- AS_REQ and TGS_REQ exchanges. This includes client address and port, KDC
request and request ID, KDC reply, primary and derived ticket and their
ticket IDs, second ticket ID, cross-realm referral, was ticket renewed and
validated, local policy violation and protocol constraints, and KDC status
message.
Ticket ID is introduced to allow to link tickets to their initial TGT at any
stage of the Kerberos exchange. For the purpose of this project it is a private
to KDC ticket ID: each successfully created ticket is hashed and recorded
into audit log. The administrators can correlate the primary and derived
ticket IDs after the fact.
Request ID is a randomly generated alpha-numeric string. Using this ID an
administrator can easily correlate multiple audit events related to a single
request. It should be informative both in cases when the request is sent to
multiple KDCs, or to the same KDC multiple times.
For the purpose of testing and demo of the Audit, the JSON based modules are
implemented: "test" and "simple" audit modules respectively.
The file plugins/audit/j_dict.h is a dictionary used in this implememtations.
The new Audit system is build-time enabled and run-time pluggable.
[kaduk@mit.edu: remove potential KDC crashes, minor reordering]
ticket: 7712
target_version: 1.12
|
|
k5_bcmp acts similarly to the deprecated Unix bcmp() function,
returning zero if two memory regions are equal and nonzero if they are
not. It is implemented such that it should take the same amount of
time regardless of how many bytes are equal within the memory regions.
|
|
In kdc_check_transited_list, consult the KDB module first. If it
succeeds, treat this as authoritative and do not use the core
transited mechanisms. Modules can return KRB5_PLUGIN_NO_HANDLE to
fall back to core mechanisms.
ticket: 7709
|
|
Make krb5int_random_string() function available outside ccache code.
Move it into a separate file under lib/krb5/krb hierarchy.
|
|
If the error code is out of [0,127] range, assign it to KRB_ERR_GENERIC.
This fix is to correct the previous behavior with [0,128] range.
For more information see krb5_err.et
|
|
Some text mistakenly referred to password quality plugin.
|
|
If dns_canonicalize_hostname is set to false in [libdefaults],
krb5_sname_to_principal will not canonicalize the hostname using
either forward or reverse lookups.
ticket: 7703 (new)
|