From ghudson at MIT.EDU Fri May 1 16:07:14 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 1 May 2009 16:07:14 -0400 Subject: svn rev #22300: trunk/src/lib/krb5/krb/ Message-ID: <200905012007.n41K7EKb019897@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22300 Commit By: ghudson Log Message: Move an error check to an earlier location in krb5_524_conv_principal to fix a memory leak. Changed Files: U trunk/src/lib/krb5/krb/conv_princ.c Modified: trunk/src/lib/krb5/krb/conv_princ.c =================================================================== --- trunk/src/lib/krb5/krb/conv_princ.c 2009-04-30 20:48:36 UTC (rev 22299) +++ trunk/src/lib/krb5/krb/conv_princ.c 2009-05-01 20:07:13 UTC (rev 22300) @@ -156,6 +156,9 @@ unsigned int tmp_realm_len; int retval; + if (context->profile == 0) + return KRB5_CONFIG_CANTOPEN; + *name = *inst = '\0'; switch (krb5_princ_size(context, princ)) { case 2: @@ -218,8 +221,6 @@ /* Ask for v4_realm corresponding to krb5 principal realm from krb5.conf realms stanza */ - if (context->profile == 0) - return KRB5_CONFIG_CANTOPEN; retval = profile_get_string(context->profile, KRB5_CONF_REALMS, tmp_prealm, KRB5_CONF_V4_REALM, 0, &tmp_realm); From ghudson at MIT.EDU Fri May 1 16:11:01 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 1 May 2009 16:11:01 -0400 Subject: svn rev #22301: trunk/src/lib/krb5/keytab/ Message-ID: <200905012011.n41KB1nr020326@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22301 Commit By: ghudson Log Message: Check return value of ftell() in krb5_ktfileint_find_slot. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-05-01 20:07:13 UTC (rev 22300) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-05-01 20:11:01 UTC (rev 22301) @@ -1655,6 +1655,8 @@ for (;;) { commit_point = ftell(fp); + if (commit_point == -1) + return errno; if (!fread(&size, sizeof(size), 1, fp)) { /* Hit the end of file, reserve this slot. */ /* htonl(0) is 0, so no need to worry about byte order */ @@ -1685,6 +1687,8 @@ /* Empty record at end of file; use it. */ /* Ensure the new record will be followed by another 0. */ zero_point = ftell(fp); + if (zero_point == -1) + return errno; if (fseek(fp, *size_needed, SEEK_CUR)) return errno; /* htonl(0) is 0, so no need to worry about byte order */ From ghudson at MIT.EDU Fri May 1 16:19:43 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 1 May 2009 16:19:43 -0400 Subject: svn rev #22302: trunk/src/lib/krb5/krb/ Message-ID: <200905012019.n41KJhJH021338@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22302 Commit By: ghudson Log Message: Fix a memory leak by reorganizing krb5_principal_internalize to use the recommended flow control for error handling. Also initialize the output parameter so that it is set in case of error. Changed Files: U trunk/src/lib/krb5/krb/ser_princ.c Modified: trunk/src/lib/krb5/krb/ser_princ.c =================================================================== --- trunk/src/lib/krb5/krb/ser_princ.c 2009-05-01 20:11:01 UTC (rev 22301) +++ trunk/src/lib/krb5/krb/ser_princ.c 2009-05-01 20:19:43 UTC (rev 22302) @@ -125,50 +125,50 @@ krb5_principal_internalize(krb5_context kcontext, krb5_pointer *argp, krb5_octet **buffer, size_t *lenremain) { krb5_error_code kret; - krb5_principal principal; + krb5_principal principal = NULL; krb5_int32 ibuf; krb5_octet *bp; size_t remain; - char *tmpname; + char *tmpname = NULL; + *argp = NULL; bp = *buffer; remain = *lenremain; - kret = EINVAL; + /* Read our magic number */ - if (krb5_ser_unpack_int32(&ibuf, &bp, &remain)) - ibuf = 0; - if (ibuf == KV5M_PRINCIPAL) { - kret = ENOMEM; + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) + return EINVAL; - /* See if we have enough data for the length */ - if (!(kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain))) { - /* Get the string */ - if ((tmpname = (char *) malloc((size_t) (ibuf+1))) && - !(kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, - (size_t) ibuf, - &bp, &remain))) { - tmpname[ibuf] = '\0'; + /* Read the principal name */ + kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); + if (kret) + return kret; + tmpname = malloc(ibuf + 1); + kret = krb5_ser_unpack_bytes((krb5_octet *) tmpname, (size_t) ibuf, + &bp, &remain); + if (kret) + goto cleanup; + tmpname[ibuf] = '\0'; - /* Parse the name to a principal structure */ - principal = (krb5_principal) NULL; - kret = krb5_parse_name(kcontext, tmpname, &principal); - if (!kret) { - kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); - if (!kret && (ibuf == KV5M_PRINCIPAL)) { - *buffer = bp; - *lenremain = remain; - *argp = principal; - } - else - kret = EINVAL; - } - if (kret && principal) - krb5_free_principal(kcontext, principal); - free(tmpname); - } - } + /* Parse the name to a principal structure */ + kret = krb5_parse_name(kcontext, tmpname, &principal); + if (kret) + goto cleanup; + + /* Read the trailing magic number */ + if (krb5_ser_unpack_int32(&ibuf, &bp, &remain) || ibuf != KV5M_PRINCIPAL) { + kret = EINVAL; + goto cleanup; } - return(kret); + + *buffer = bp; + *lenremain = remain; + *argp = principal; +cleanup: + if (kret) + krb5_free_principal(kcontext, principal); + free(tmpname); + return kret; } /* From ghudson at MIT.EDU Sat May 2 00:58:19 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sat, 2 May 2009 00:58:19 -0400 Subject: svn rev #22303: trunk/src/lib/krb5/krb/ Message-ID: <200905020458.n424wJbI021293@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22303 Commit By: ghudson Log Message: Fix a memory leak in krb5int_rd_chpw_rep in a block of code handling buggy MS KDC behavior. It's not entirely clear what should happen in the case where memory was leaked (error packet received containing e_data) so pick a conservative option. Changed Files: U trunk/src/lib/krb5/krb/chpw.c Modified: trunk/src/lib/krb5/krb/chpw.c =================================================================== --- trunk/src/lib/krb5/krb/chpw.c 2009-05-01 20:19:43 UTC (rev 22302) +++ trunk/src/lib/krb5/krb/chpw.c 2009-05-02 04:58:19 UTC (rev 22303) @@ -110,11 +110,12 @@ if ((ret = krb5_rd_error(context, packet, &krberror))) return(ret); - if (krberror->e_data.data == NULL) { + if (krberror->e_data.data == NULL) ret = ERROR_TABLE_BASE_krb5 + (krb5_error_code) krberror->error; - krb5_free_error(context, krberror); - return (ret); - } + else + ret = KRB5KRB_AP_ERR_MODIFIED; + krb5_free_error(context, krberror); + return(ret); } else { return(KRB5KRB_AP_ERR_MODIFIED); } From ghudson at MIT.EDU Sun May 3 14:47:28 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sun, 3 May 2009 14:47:28 -0400 Subject: svn rev #22304: trunk/doc/ Message-ID: <200905031847.n43IlSHO026691@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22304 Commit By: ghudson Log Message: Fix formatting of ok_as_delegate documentation in admin guide. Changed Files: U trunk/doc/admin.texinfo Modified: trunk/doc/admin.texinfo =================================================================== --- trunk/doc/admin.texinfo 2009-05-02 04:58:19 UTC (rev 22303) +++ trunk/doc/admin.texinfo 2009-05-03 18:47:27 UTC (rev 22304) @@ -2274,7 +2274,7 @@ ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database. - at item @{-|+}ok_as_delegate + at item @{-|+@}ok_as_delegate The ``+ok_as_delegate'' option sets a flag in tickets issued for the service principal. Some client programs may recognize this flag as indicating that it is okay to delegate credentials to the service. If From ghudson at MIT.EDU Mon May 4 12:08:04 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 4 May 2009 12:08:04 -0400 Subject: svn rev #22305: trunk/src/lib/krb5/krb/ Message-ID: <200905041608.n44G84aH003797@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22305 Commit By: ghudson Log Message: krb5_rd_rep could leak memory through its output parameter on error. Adjust the flow control so that *repl is NULL on error and the memory allocated by decode_krb5_ap_rep_enc_part is freed. Changed Files: U trunk/src/lib/krb5/krb/rd_rep.c Modified: trunk/src/lib/krb5/krb/rd_rep.c =================================================================== --- trunk/src/lib/krb5/krb/rd_rep.c 2009-05-03 18:47:27 UTC (rev 22304) +++ trunk/src/lib/krb5/krb/rd_rep.c 2009-05-04 16:08:03 UTC (rev 22305) @@ -73,49 +73,53 @@ const krb5_data *inbuf, krb5_ap_rep_enc_part **repl) { krb5_error_code retval; - krb5_ap_rep * reply; + krb5_ap_rep *reply = NULL; + krb5_ap_rep_enc_part *enc = NULL; krb5_data scratch; + *repl = NULL; + if (!krb5_is_ap_rep(inbuf)) return KRB5KRB_AP_ERR_MSG_TYPE; - /* decode it */ - - if ((retval = decode_krb5_ap_rep(inbuf, &reply))) + /* Decode inbuf. */ + retval = decode_krb5_ap_rep(inbuf, &reply); + if (retval) return retval; - /* put together an eblock for this encryption */ - + /* Put together an eblock for this encryption. */ scratch.length = reply->enc_part.ciphertext.length; - if (!(scratch.data = malloc(scratch.length))) { - krb5_free_ap_rep(context, reply); - return(ENOMEM); + scratch.data = malloc(scratch.length); + if (scratch.data == NULL) { + retval = ENOMEM; + goto clean_scratch; } - if ((retval = krb5_c_decrypt(context, auth_context->keyblock, - KRB5_KEYUSAGE_AP_REP_ENCPART, 0, - &reply->enc_part, &scratch))) + retval = krb5_c_decrypt(context, auth_context->keyblock, + KRB5_KEYUSAGE_AP_REP_ENCPART, 0, + &reply->enc_part, &scratch); + if (retval) goto clean_scratch; - /* now decode the decrypted stuff */ - retval = decode_krb5_ap_rep_enc_part(&scratch, repl); + /* Now decode the decrypted stuff. */ + retval = decode_krb5_ap_rep_enc_part(&scratch, &enc); if (retval) goto clean_scratch; - /* Check reply fields */ - if (((*repl)->ctime != auth_context->authentp->ctime) || - ((*repl)->cusec != auth_context->authentp->cusec)) { + /* Check reply fields. */ + if ((enc->ctime != auth_context->authentp->ctime) + || (enc->cusec != auth_context->authentp->cusec)) { retval = KRB5_MUTUAL_FAILED; goto clean_scratch; } - /* Set auth subkey */ - if ((*repl)->subkey) { + /* Set auth subkey. */ + if (enc->subkey) { if (auth_context->recv_subkey) { krb5_free_keyblock(context, auth_context->recv_subkey); auth_context->recv_subkey = NULL; } - retval = krb5_copy_keyblock(context, (*repl)->subkey, + retval = krb5_copy_keyblock(context, enc->subkey, &auth_context->recv_subkey); if (retval) goto clean_scratch; @@ -123,23 +127,27 @@ krb5_free_keyblock(context, auth_context->send_subkey); auth_context->send_subkey = NULL; } - retval = krb5_copy_keyblock(context, (*repl)->subkey, + retval = krb5_copy_keyblock(context, enc->subkey, &auth_context->send_subkey); if (retval) { krb5_free_keyblock(context, auth_context->send_subkey); auth_context->send_subkey = NULL; + goto clean_scratch; } - /* not used for anything yet */ - auth_context->negotiated_etype = (*repl)->subkey->enctype; + /* Not used for anything yet. */ + auth_context->negotiated_etype = enc->subkey->enctype; } - /* Get remote sequence number */ - auth_context->remote_seq_number = (*repl)->seq_number; + /* Get remote sequence number. */ + auth_context->remote_seq_number = enc->seq_number; + *repl = enc; + enc = NULL; + clean_scratch: memset(scratch.data, 0, scratch.length); - krb5_free_ap_rep(context, reply); + krb5_free_ap_rep_enc_part(context, enc); free(scratch.data); return retval; } From ghudson at MIT.EDU Mon May 4 13:06:44 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 4 May 2009 13:06:44 -0400 Subject: svn rev #22306: trunk/src/lib/krb5/krb/ Message-ID: <200905041706.n44H6iVl007438@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22306 Commit By: ghudson Log Message: Fix some direct returns in krb5_get_cred_from_kdc_opt which would leak memory. Changed Files: U trunk/src/lib/krb5/krb/gc_frm_kdc.c Modified: trunk/src/lib/krb5/krb/gc_frm_kdc.c =================================================================== --- trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-05-04 16:08:03 UTC (rev 22305) +++ trunk/src/lib/krb5/krb/gc_frm_kdc.c 2009-05-04 17:06:43 UTC (rev 22306) @@ -968,8 +968,11 @@ DPRINTF(("gc_from_kdc: no server realm supplied, " "using client realm.\n")); krb5_free_data_contents(context, &server->realm); - if (!( server->realm.data = (char *)malloc(client->realm.length+1))) - return ENOMEM; + server->realm.data = malloc(client->realm.length + 1); + if (server->realm.data == NULL) { + retval = ENOMEM; + goto cleanup; + } memcpy(server->realm.data, client->realm.data, client->realm.length); server->realm.length = client->realm.length; server->realm.data[server->realm.length] = 0; @@ -1146,7 +1149,7 @@ &tgtptr->server->data[1], &server->realm); if (retval) - return retval; + goto cleanup; /* * Future work: rewrite server principal per any * supplied padata. @@ -1194,7 +1197,8 @@ */ DPRINTF(("gc_from_kdc: referral specified " "but no fallback realm avaiable!\n")); - return KRB5_ERR_HOST_REALM_UNKNOWN; + retval = KRB5_ERR_HOST_REALM_UNKNOWN; + goto cleanup; } } @@ -1308,14 +1312,23 @@ if (subretval) { #endif /* Allocate returnable TGT list. */ - if (!(*tgts=calloc(sizeof (krb5_creds *), 2))) - return ENOMEM; - subretval=krb5_copy_creds(context, referral_tgts[0], &((*tgts)[0])); - if(subretval) - return subretval; - (*tgts)[1]=NULL; - DUMP_PRINC("gc_from_kdc: returning referral TGT for ccache", - (*tgts)[0]->server); + *tgts = calloc(2, sizeof (krb5_creds *)); + if (*tgts == NULL && retval == 0) + retval = ENOMEM; + if (*tgts) { + subretval = krb5_copy_creds(context, referral_tgts[0], + &((*tgts)[0])); + if (subretval) { + if (retval == 0) + retval = subretval; + free(*tgts); + *tgts = NULL; + } else { + (*tgts)[1] = NULL; + DUMP_PRINC("gc_from_kdc: referral TGT for ccache", + (*tgts)[0]->server); + } + } #if 0 } #endif From ghudson at MIT.EDU Mon May 4 13:16:38 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 4 May 2009 13:16:38 -0400 Subject: svn rev #22307: trunk/src/lib/krb5/krb/ Message-ID: <200905041716.n44HGcKM008006@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22307 Commit By: ghudson Log Message: Fix an error message memory leak in krb5_preauth_supply_preauth_data. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-04 17:06:43 UTC (rev 22306) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-04 17:16:38 UTC (rev 22307) @@ -260,6 +260,7 @@ emsg = krb5_get_error_message(context, retval); krb5int_set_error(&context->err, retval, "Preauth plugin %s: %s", context->preauth_context->modules[i].name, emsg); + krb5_free_error_message(context, emsg); break; } } From ghudson at MIT.EDU Mon May 4 15:43:36 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 4 May 2009 15:43:36 -0400 Subject: svn rev #22308: trunk/src/lib/krb5/krb/ Message-ID: <200905041943.n44JhaKX016948@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22308 Commit By: ghudson Log Message: Simplify cleanup in obtain_sam_padata slightly. Changed Files: U trunk/src/lib/krb5/krb/preauth.c Modified: trunk/src/lib/krb5/krb/preauth.c =================================================================== --- trunk/src/lib/krb5/krb/preauth.c 2009-05-04 17:16:38 UTC (rev 22307) +++ trunk/src/lib/krb5/krb/preauth.c 2009-05-04 19:43:36 UTC (rev 22308) @@ -455,7 +455,7 @@ obtain_sam_padata(krb5_context context, krb5_pa_data *in_padata, krb5_etype_info etype_info, krb5_keyblock *def_enc_key, git_key_proc key_proc, krb5_const_pointer key_seed, krb5_creds *creds, krb5_kdc_req *request, krb5_pa_data **out_padata) { krb5_error_code retval; - krb5_data * scratch; + krb5_data * scratch = 0; krb5_data tmpsam; krb5_pa_data * pa; krb5_sam_challenge *sam_challenge = 0; @@ -566,9 +566,7 @@ retval = 0; cleanup: - if (scratch) - krb5_free_data(context, scratch); - if (sam_challenge) - free(sam_challenge); + krb5_free_data(context, scratch); + free(sam_challenge); return retval; } From ghudson at MIT.EDU Tue May 5 12:00:41 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:00:41 -0400 Subject: svn rev #22309: trunk/src/lib/krb5/krb/ Message-ID: <200905051600.n45G0fQO022414@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22309 Commit By: ghudson Log Message: Fix a case in the krb5_rd_rep error handler (introduced in the last commit) where scratch.data could be indirected through even if it wasn't allocated successfully. Changed Files: U trunk/src/lib/krb5/krb/rd_rep.c Modified: trunk/src/lib/krb5/krb/rd_rep.c =================================================================== --- trunk/src/lib/krb5/krb/rd_rep.c 2009-05-04 19:43:36 UTC (rev 22308) +++ trunk/src/lib/krb5/krb/rd_rep.c 2009-05-05 16:00:40 UTC (rev 22309) @@ -145,10 +145,11 @@ enc = NULL; clean_scratch: - memset(scratch.data, 0, scratch.length); + if (scratch.data) + memset(scratch.data, 0, scratch.length); + free(scratch.data); krb5_free_ap_rep(context, reply); krb5_free_ap_rep_enc_part(context, enc); - free(scratch.data); return retval; } From ghudson at MIT.EDU Tue May 5 12:30:19 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:30:19 -0400 Subject: svn rev #22310: trunk/src/lib/krb5/krb/ Message-ID: <200905051630.n45GUJwT024107@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22310 Commit By: ghudson Log Message: ticket: 6401 In krb5_get_in_tkt, free the whole encoded request (since the structure was allocated by encode_krb5_as_req), not just the contents. Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c Modified: trunk/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/get_in_tkt.c 2009-05-05 16:00:40 UTC (rev 22309) +++ trunk/src/lib/krb5/krb/get_in_tkt.c 2009-05-05 16:30:19 UTC (rev 22310) @@ -649,7 +649,7 @@ retval = send_as_request(context, encoded_request, krb5_princ_realm(context, request.client), &err_reply, &as_reply, &use_master); - krb5_free_data_contents(context, encoded_request); + krb5_free_data(context, encoded_request); if (retval != 0) goto cleanup; From ghudson at MIT.EDU Tue May 5 12:35:31 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:35:31 -0400 Subject: svn rev #22311: trunk/src/lib/krb5/krb/ Message-ID: <200905051635.n45GZVUB024466@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22311 Commit By: ghudson Log Message: Remove some unnecessary null checks in krb5_get_in_tkt_with_keytab. Changed Files: U trunk/src/lib/krb5/krb/gic_keytab.c Modified: trunk/src/lib/krb5/krb/gic_keytab.c =================================================================== --- trunk/src/lib/krb5/krb/gic_keytab.c 2009-05-05 16:30:19 UTC (rev 22310) +++ trunk/src/lib/krb5/krb/gic_keytab.c 2009-05-05 16:35:31 UTC (rev 22311) @@ -202,10 +202,8 @@ if (retval) { goto cleanup; } - if (creds->server) - krb5_free_principal( context, creds->server); - if (creds->client) - krb5_free_principal( context, creds->client); + krb5_free_principal(context, creds->server); + krb5_free_principal(context, creds->client); creds->client = client_princ; creds->server = server_princ; From ghudson at MIT.EDU Tue May 5 12:39:54 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:39:54 -0400 Subject: svn rev #22312: trunk/src/lib/krb5/krb/ Message-ID: <200905051639.n45Gds7H024713@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22312 Commit By: ghudson Log Message: Remove some unnecessary null checks in krb5_get_in_tkt_with_password. Changed Files: U trunk/src/lib/krb5/krb/gic_pwd.c Modified: trunk/src/lib/krb5/krb/gic_pwd.c =================================================================== --- trunk/src/lib/krb5/krb/gic_pwd.c 2009-05-05 16:35:31 UTC (rev 22311) +++ trunk/src/lib/krb5/krb/gic_pwd.c 2009-05-05 16:39:54 UTC (rev 22312) @@ -520,10 +520,8 @@ if (retval) { return (retval); } - if (creds->server) - krb5_free_principal( context, creds->server); - if (creds->client) - krb5_free_principal( context, creds->client); + krb5_free_principal( context, creds->server); + krb5_free_principal( context, creds->client); creds->client = client_princ; creds->server = server_princ; /* store it in the ccache! */ From ghudson at MIT.EDU Tue May 5 12:46:29 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:46:29 -0400 Subject: svn rev #22313: trunk/src/lib/krb5/krb/ Message-ID: <200905051646.n45GkTF3025166@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22313 Commit By: ghudson Log Message: In krb5int_rd_setpw_rep, if we get an error result, set ap_rep.length to 0 so that it is initialized for a check later in the function. Changed Files: U trunk/src/lib/krb5/krb/chpw.c Modified: trunk/src/lib/krb5/krb/chpw.c =================================================================== --- trunk/src/lib/krb5/krb/chpw.c 2009-05-05 16:39:54 UTC (rev 22312) +++ trunk/src/lib/krb5/krb/chpw.c 2009-05-05 16:46:29 UTC (rev 22313) @@ -370,6 +370,7 @@ krberror->e_data.data = NULL; /*So we can free it later*/ krberror->e_data.length = 0; krb5_free_error(context, krberror); + ap_rep.length = 0; } else { /* Not an error*/ From ghudson at MIT.EDU Tue May 5 12:55:59 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:55:59 -0400 Subject: svn rev #22314: trunk/src/lib/krb5/krb/ Message-ID: <200905051655.n45GtxCB025719@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22314 Commit By: ghudson Log Message: In pa_sam_2, free scratch in a couple of error-handling blocks where it was live and not freed. The function should be reorganized to use a cleanup handler, but (I believe) is not covered by the test suite and should not undergo such major surgery until it is. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 16:46:29 UTC (rev 22313) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 16:55:58 UTC (rev 22314) @@ -1652,6 +1652,7 @@ if (retval) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); return(retval); } sr2.sam_enc_nonce_or_sad.ciphertext.length = ciph_len; @@ -1662,6 +1663,7 @@ if (!sr2.sam_enc_nonce_or_sad.ciphertext.data) { krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); + krb5_free_data(context, scratch); return(ENOMEM); } From ghudson at MIT.EDU Tue May 5 12:57:42 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 12:57:42 -0400 Subject: svn rev #22315: trunk/src/lib/krb5/krb/ Message-ID: <200905051657.n45GvgaX025822@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22315 Commit By: ghudson Log Message: In pa_sam_2, free sc2 in an error-handling case where it was leaked. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 16:55:58 UTC (rev 22314) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 16:57:42 UTC (rev 22315) @@ -1417,8 +1417,10 @@ retval = decode_krb5_sam_challenge_2_body(&sc2->sam_challenge_2_body, &sc2b); - if (retval) + if (retval) { + krb5_free_sam_challenge_2(context, sc2); return(retval); + } if (!sc2->sam_cksum || ! *sc2->sam_cksum) { krb5_free_sam_challenge_2(context, sc2); From ghudson at MIT.EDU Tue May 5 13:08:54 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 13:08:54 -0400 Subject: svn rev #22316: trunk/src/lib/krb5/krb/ Message-ID: <200905051708.n45H8sGo026650@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22316 Commit By: ghudson Log Message: Fix a memory leak in krb5_obtain_padata. Changed Files: U trunk/src/lib/krb5/krb/preauth.c Modified: trunk/src/lib/krb5/krb/preauth.c =================================================================== --- trunk/src/lib/krb5/krb/preauth.c 2009-05-05 16:57:42 UTC (rev 22315) +++ trunk/src/lib/krb5/krb/preauth.c 2009-05-05 17:08:54 UTC (rev 22316) @@ -189,7 +189,7 @@ * This will set the salt length */ if ((retval = krb5_principal2salt(context, request->client, &salt))) - return(retval); + goto cleanup; f_salt = 1; } From ghudson at MIT.EDU Tue May 5 13:11:48 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 5 May 2009 13:11:48 -0400 Subject: svn rev #22317: trunk/src/lib/krb5/krb/ Message-ID: <200905051711.n45HBm6q026927@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22317 Commit By: ghudson Log Message: Fix a memory leak in pa_sam. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 17:08:54 UTC (rev 22316) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 17:11:48 UTC (rev 22317) @@ -876,8 +876,11 @@ *etype = ENCTYPE_DES_CBC_CRC; if ((ret = (gak_fct)(context, request->client, *etype, prompter, - prompter_data, salt, s2kparams, as_key, gak_data))) - return(ret); + prompter_data, salt, s2kparams, as_key, + gak_data))) { + krb5_free_sam_challenge(context, sam_challenge); + return(ret); + } } snprintf(name, sizeof(name), "%.*s", SAMDATA(sam_challenge->sam_type_name, "SAM Authentication", From ghudson at MIT.EDU Wed May 6 11:56:22 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 6 May 2009 11:56:22 -0400 Subject: svn rev #22318: trunk/src/lib/krb5/krb/ Message-ID: <200905061556.n46FuMFD014602@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22318 Commit By: ghudson Log Message: Fix a memory leak in pa_sam_2 where an outer data structure wasn't freed after the contents are coopted. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-05 17:11:48 UTC (rev 22317) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 15:56:21 UTC (rev 22318) @@ -1705,6 +1705,7 @@ sam_padata->pa_type = KRB5_PADATA_SAM_RESPONSE_2; sam_padata->length = scratch->length; sam_padata->contents = (krb5_octet *) scratch->data; + free(scratch); *out_padata = sam_padata; From ghudson at MIT.EDU Wed May 6 14:52:44 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 6 May 2009 14:52:44 -0400 Subject: svn rev #22319: trunk/src/lib/krb5/krb/ Message-ID: <200905061852.n46IqiY6025544@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22319 Commit By: ghudson Log Message: ticket: 6210 In pa_sam, use the correct function to free sam_challenge in the success path. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 15:56:21 UTC (rev 22318) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 18:52:44 UTC (rev 22319) @@ -1026,7 +1026,7 @@ sam_response.sam_type = sam_challenge->sam_type; sam_response.magic = KV5M_SAM_RESPONSE; - free(sam_challenge); + krb5_free_sam_challenge(context, sam_challenge); /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, From ghudson at MIT.EDU Wed May 6 14:53:03 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 6 May 2009 14:53:03 -0400 Subject: svn rev #22320: trunk/src/lib/krb5/krb/ Message-ID: <200905061853.n46Ir3BC025580@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22320 Commit By: ghudson Log Message: Fix multiple memory leaks in obtain_sam_padata. Changed Files: U trunk/src/lib/krb5/krb/preauth.c Modified: trunk/src/lib/krb5/krb/preauth.c =================================================================== --- trunk/src/lib/krb5/krb/preauth.c 2009-05-06 18:52:44 UTC (rev 22319) +++ trunk/src/lib/krb5/krb/preauth.c 2009-05-06 18:53:03 UTC (rev 22320) @@ -463,8 +463,10 @@ /* these two get encrypted and stuffed in to sam_response */ krb5_enc_sam_response_enc enc_sam_response_enc; krb5_keyblock * sam_use_key = 0; - char * prompt; + char *prompt = 0, *passcode = 0; + sam_response.sam_enc_nonce_or_ts.ciphertext.data = 0; + tmpsam.length = in_padata->length; tmpsam.data = (char *) in_padata->contents; retval = decode_krb5_sam_challenge(&tmpsam, &sam_challenge); @@ -472,7 +474,8 @@ return retval; if (sam_challenge->sam_flags & KRB5_SAM_MUST_PK_ENCRYPT_SAD) { - return KRB5_SAM_UNSUPPORTED; + retval = KRB5_SAM_UNSUPPORTED; + goto cleanup; } enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce; @@ -480,44 +483,44 @@ retval = krb5_us_timeofday(context, &enc_sam_response_enc.sam_timestamp, &enc_sam_response_enc.sam_usec); + if (retval) + goto cleanup; sam_response.sam_patimestamp = enc_sam_response_enc.sam_timestamp; } - if (retval) - return retval; if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) { /* encrypt passcode in key by stuffing it here */ unsigned int pcsize = 256; - char *passcode = malloc(pcsize+1); - if (passcode == NULL) - return ENOMEM; + passcode = malloc(pcsize + 1); + if (passcode == NULL) { + retval = ENOMEM; + goto cleanup; + } prompt = handle_sam_labels(sam_challenge); if (prompt == NULL) { - free(passcode); - return ENOMEM; + retval = ENOMEM; + goto cleanup; } retval = krb5_read_password(context, prompt, 0, passcode, &pcsize); - free(prompt); - - if (retval) { - free(passcode); - return retval; - } + if (retval) + goto cleanup; enc_sam_response_enc.sam_sad.data = passcode; enc_sam_response_enc.sam_sad.length = pcsize; } else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) { prompt = handle_sam_labels(sam_challenge); - if (prompt == NULL) - return ENOMEM; + if (prompt == NULL) { + retval = ENOMEM; + goto cleanup; + } retval = sam_get_pass_from_user(context, etype_info, key_proc, key_seed, request, &sam_use_key, prompt); - free(prompt); if (retval) - return retval; + goto cleanup; enc_sam_response_enc.sam_sad.length = 0; } else { /* what *was* it? */ - return KRB5_SAM_UNSUPPORTED; + retval = KRB5_SAM_UNSUPPORTED; + goto cleanup; } /* so at this point, either sam_use_key is generated from the passcode @@ -526,7 +529,7 @@ /* encode the encoded part of the response */ if ((retval = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, &scratch)) != 0) - return retval; + goto cleanup; if ((retval = krb5_encrypt_data(context, sam_use_key?sam_use_key:def_enc_key, @@ -548,7 +551,7 @@ sam_response.magic = KV5M_SAM_RESPONSE; if ((retval = encode_krb5_sam_response(&sam_response, &scratch)) != 0) - return retval; + goto cleanup; if ((pa = malloc(sizeof(krb5_pa_data))) == NULL) { retval = ENOMEM; @@ -567,6 +570,9 @@ cleanup: krb5_free_data(context, scratch); - free(sam_challenge); + krb5_free_sam_challenge(context, sam_challenge); + free(prompt); + free(passcode); + free(sam_response.sam_enc_nonce_or_ts.ciphertext.data); return retval; } From ghudson at MIT.EDU Wed May 6 14:54:47 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 6 May 2009 14:54:47 -0400 Subject: svn rev #22321: trunk/src/lib/krb5/krb/ Message-ID: <200905061854.n46IslD4025690@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22321 Commit By: ghudson Log Message: Fix yet another memory leak in pa_sam. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 18:53:03 UTC (rev 22320) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 18:54:47 UTC (rev 22321) @@ -1016,6 +1016,7 @@ } else { /* Eventually, combine SAD with long-term key to get encryption key. */ + krb5_free_sam_challenge(context, sam_challenge); return KRB5_PREAUTH_BAD_TYPE; } From ghudson at MIT.EDU Thu May 7 15:42:58 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 7 May 2009 15:42:58 -0400 Subject: svn rev #22322: trunk/src/lib/krb5/krb/ Message-ID: <200905071942.n47JgwuV019839@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22322 Commit By: ghudson Log Message: After consultation with kenh, remove a comment and if statement which should no longer apply to the pa_sam_2 code, fixing a memory leak. Changed Files: U trunk/src/lib/krb5/krb/preauth2.c Modified: trunk/src/lib/krb5/krb/preauth2.c =================================================================== --- trunk/src/lib/krb5/krb/preauth2.c 2009-05-06 18:54:47 UTC (rev 22321) +++ trunk/src/lib/krb5/krb/preauth2.c 2009-05-07 19:42:57 UTC (rev 22322) @@ -1607,13 +1607,6 @@ } if (!valid_cksum) { - - /* If KRB5_SAM_SEND_ENCRYPTED_SAD is set, then password is only */ - /* source for checksum key. Therefore, a bad checksum means a */ - /* bad password. Don't give that direct feedback to someone */ - /* trying to brute-force passwords. */ - - if (!(sc2b->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD)) krb5_free_sam_challenge_2(context, sc2); krb5_free_sam_challenge_2_body(context, sc2b); /* From ghudson at MIT.EDU Thu May 7 15:51:46 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 7 May 2009 15:51:46 -0400 Subject: svn rev #22323: trunk/src/lib/kadm5/ srv/ unit-test/api.0/ unit-test/api.2/ Message-ID: <200905071951.n47JpkE3020430@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22323 Commit By: ghudson Log Message: ticket: 6482 subject: Allow more than 10 past keys to be stored by a policy target_version: 1.7 tags: pullup Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. Changed Files: U trunk/src/lib/kadm5/srv/svr_policy.c U trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp U trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp Modified: trunk/src/lib/kadm5/srv/svr_policy.c =================================================================== --- trunk/src/lib/kadm5/srv/svr_policy.c 2009-05-07 19:42:57 UTC (rev 22322) +++ trunk/src/lib/kadm5/srv/svr_policy.c 2009-05-07 19:51:46 UTC (rev 22323) @@ -15,7 +15,6 @@ #include #include -#define MAX_PW_HISTORY 10 #define MIN_PW_HISTORY 1 #define MIN_PW_CLASSES 1 #define MAX_PW_CLASSES 5 @@ -132,8 +131,7 @@ if (!(mask & KADM5_PW_HISTORY_NUM)) pent.pw_history_num = MIN_PW_HISTORY; else { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) + if(entry->pw_history_num < MIN_PW_HISTORY) return KADM5_BAD_HISTORY; else pent.pw_history_num = entry->pw_history_num; @@ -242,8 +240,7 @@ p->pw_min_classes = entry->pw_min_classes; } if ((mask & KADM5_PW_HISTORY_NUM)) { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) { + if(entry->pw_history_num < MIN_PW_HISTORY) { krb5_db_free_policy(handle->context, p); return KADM5_BAD_HISTORY; } Modified: trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp =================================================================== --- trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp 2009-05-07 19:42:57 UTC (rev 22322) +++ trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp 2009-05-07 19:51:46 UTC (rev 22323) @@ -743,41 +743,6 @@ } test21 -# Description: (21.5) Rejects 11 for pw_history_num. -# 01/24/94: pshuang: untried. - -test "create-policy 21.5" -proc test215 {} { - global test - global prompt - - if {! (( ! [policy_exists "$test/a"]) || - [delete_policy "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - - if {! [cmd { - ovsec_kadm_init admin admin $OVSEC_KADM_ADMIN_SERVICE null \ - $OVSEC_KADM_STRUCT_VERSION $OVSEC_KADM_API_VERSION_1 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - - one_line_fail_test [format { - ovsec_kadm_create_policy $server_handle {"%s/a" 0 0 0 0 11 0} \ - {OVSEC_KADM_POLICY OVSEC_KADM_PW_HISTORY_NUM} - } $test] "BAD_HISTORY" - if { ! [cmd {ovsec_kadm_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test215 - - # Description: (22) Fails for user with no access bits. test "create-policy 22" proc test22 {} { Modified: trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp =================================================================== --- trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp 2009-05-07 19:42:57 UTC (rev 22322) +++ trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp 2009-05-07 19:51:46 UTC (rev 22323) @@ -743,41 +743,6 @@ } test21 -# Description: (21.5) Rejects 11 for pw_history_num. -# 01/24/94: pshuang: untried. - -test "create-policy 21.5" -proc test215 {} { - global test - global prompt - - if {! (( ! [policy_exists "$test/a"]) || - [delete_policy "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - - one_line_fail_test [format { - kadm5_create_policy $server_handle {"%s/a" 0 0 0 0 11 0} \ - {KADM5_POLICY KADM5_PW_HISTORY_NUM} - } $test] "BAD_HISTORY" - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test215 - - # Description: (22) Fails for user with no access bits. test "create-policy 22" proc test22 {} { From hartmans at MIT.EDU Thu May 7 16:35:29 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 7 May 2009 16:35:29 -0400 Subject: svn rev #22325: trunk/src/ include/ lib/krb5/ lib/krb5/krb/ Message-ID: <200905072035.n47KZTrk023296@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22325 Commit By: hartmans Log Message: Subject: Try decrypting using session key if subkey fails in tgs rep handling ticket: 6484 Tags: pullup Target_Version: 1.7 Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/decode_kdc.c U trunk/src/lib/krb5/krb/gc_via_tkt.c U trunk/src/lib/krb5/libkrb5.exports Modified: trunk/src/include/k5-int.h =================================================================== --- trunk/src/include/k5-int.h 2009-05-07 20:35:19 UTC (rev 22324) +++ trunk/src/include/k5-int.h 2009-05-07 20:35:28 UTC (rev 22325) @@ -2613,10 +2613,10 @@ * in with the subkey needed to decrypt the TGS * response. Otherwise it will be set to null. */ -krb5_error_code krb5_decode_kdc_rep +krb5_error_code krb5int_decode_tgs_rep (krb5_context, krb5_data *, - const krb5_keyblock *, + const krb5_keyblock *, krb5_keyusage, krb5_kdc_rep ** ); krb5_error_code krb5int_find_authdata (krb5_context context, krb5_authdata *const * ticket_authdata, Modified: trunk/src/lib/krb5/krb/decode_kdc.c =================================================================== --- trunk/src/lib/krb5/krb/decode_kdc.c 2009-05-07 20:35:19 UTC (rev 22324) +++ trunk/src/lib/krb5/krb/decode_kdc.c 2009-05-07 20:35:28 UTC (rev 22325) @@ -43,17 +43,15 @@ */ krb5_error_code -krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep) +krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; - krb5_keyusage usage; if (krb5_is_as_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { return KRB5KRB_AP_ERR_MSG_TYPE; Modified: trunk/src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-05-07 20:35:19 UTC (rev 22324) +++ trunk/src/lib/krb5/krb/gc_via_tkt.c 2009-05-07 20:35:28 UTC (rev 22325) @@ -290,9 +290,17 @@ goto error_4; } - if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - subkey, &dec_rep))) - goto error_4; + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } if (dec_rep->msg_type != KRB5_TGS_REP) { retval = KRB5KRB_AP_ERR_MSG_TYPE; Modified: trunk/src/lib/krb5/libkrb5.exports =================================================================== --- trunk/src/lib/krb5/libkrb5.exports 2009-05-07 20:35:19 UTC (rev 22324) +++ trunk/src/lib/krb5/libkrb5.exports 2009-05-07 20:35:28 UTC (rev 22325) @@ -185,7 +185,6 @@ krb5_create_secure_file krb5_crypto_us_timeofday krb5_decode_authdata_container -krb5_decode_kdc_rep krb5_decode_ticket krb5_decrypt_tkt_part krb5_default_pwd_prompt1 From hartmans at MIT.EDU Thu May 7 16:35:19 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Thu, 7 May 2009 16:35:19 -0400 Subject: svn rev #22324: trunk/src/kadmin/ cli/ ktutil/ Message-ID: <200905072035.n47KZJbn023249@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22324 Commit By: hartmans Log Message: ticket: 6483 Subject: man1 in title header for man1 manpages Target_Version: 1.7 Tags: pullup A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man pages to man1 from man8. This updates the section within the man page. Changed Files: U trunk/src/kadmin/cli/k5srvutil.M U trunk/src/kadmin/cli/kadmin.M U trunk/src/kadmin/cli/kadmin.local.M U trunk/src/kadmin/ktutil/ktutil.M Modified: trunk/src/kadmin/cli/k5srvutil.M =================================================================== --- trunk/src/kadmin/cli/k5srvutil.M 2009-05-07 19:51:46 UTC (rev 22323) +++ trunk/src/kadmin/cli/k5srvutil.M 2009-05-07 20:35:19 UTC (rev 22324) @@ -1,6 +1,6 @@ .\" Copyright 1989, 2003 by the Massachusetts Institute of Technology. .\" -.TH K5SRVUTIL 8 +.TH K5SRVUTIL 1 .SH NAME k5srvutil \- host key table (keytab) manipulation utility .SH SYNOPSIS Modified: trunk/src/kadmin/cli/kadmin.M =================================================================== --- trunk/src/kadmin/cli/kadmin.M 2009-05-07 19:51:46 UTC (rev 22323) +++ trunk/src/kadmin/cli/kadmin.M 2009-05-07 20:35:19 UTC (rev 22324) @@ -1,4 +1,4 @@ -.TH KADMIN 8 +.TH KADMIN 1 .SH NAME kadmin \- Kerberos V5 database administration program .SH SYNOPSYS Modified: trunk/src/kadmin/cli/kadmin.local.M =================================================================== --- trunk/src/kadmin/cli/kadmin.local.M 2009-05-07 19:51:46 UTC (rev 22323) +++ trunk/src/kadmin/cli/kadmin.local.M 2009-05-07 20:35:19 UTC (rev 22324) @@ -1 +1 @@ -.so man8/kadmin.8 +.so man1/kadmin.1 Modified: trunk/src/kadmin/ktutil/ktutil.M =================================================================== --- trunk/src/kadmin/ktutil/ktutil.M 2009-05-07 19:51:46 UTC (rev 22323) +++ trunk/src/kadmin/ktutil/ktutil.M 2009-05-07 20:35:19 UTC (rev 22324) @@ -1,4 +1,4 @@ -.TH KTUTIL 8 +.TH KTUTIL 1 .SH NAME ktutil \- Kerberos keytab file maintenance utility .SH SYNOPSIS From ghudson at MIT.EDU Mon May 11 12:57:46 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 11 May 2009 12:57:46 -0400 Subject: svn rev #22326: trunk/src/lib/krb5/os/ Message-ID: <200905111657.n4BGvk0T010558@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22326 Commit By: ghudson Log Message: Refactor rule_an_to_ln, creating a new helper function to handle the selection string specifier. Eliminate two (safe) uses of sscanf in the process. Add a test case including literal text in the selection string specifier. Changed Files: U trunk/src/lib/krb5/os/Makefile.in U trunk/src/lib/krb5/os/an_to_ln.c Modified: trunk/src/lib/krb5/os/Makefile.in =================================================================== --- trunk/src/lib/krb5/os/Makefile.in 2009-05-07 20:35:28 UTC (rev 22325) +++ trunk/src/lib/krb5/os/Makefile.in 2009-05-11 16:57:45 UTC (rev 22326) @@ -221,6 +221,8 @@ # fi echo 'auth_to_local = RULE:[3:$$1$$3$$2](rule.*)s/rule//g' \ >> ./t_an.conf + echo 'auth_to_local = RULE:[4:wi$$1ma]s/x/l/g' \ + >> ./t_an.conf echo 'auth_to_local = DEFAULT' >> ./t_an.conf echo '}' >> ./t_an.conf # if test -r ../../../admin/aname/kdb5_anadd ; then \ @@ -230,7 +232,7 @@ KRB5_CONFIG=./t_an.conf ; export KRB5_CONFIG ; \ $(KRB5_RUN_ENV) $(VALGRIND) ./t_an_to_ln rul/helpme/e at r ru/123/le at r KRB5_CONFIG=./t_an.conf ; export KRB5_CONFIG ; \ - $(KRB5_RUN_ENV) $(VALGRIND) ./t_an_to_ln fred/r at r barney/r at r + $(KRB5_RUN_ENV) $(VALGRIND) ./t_an_to_ln fred/r at r barney/r at r x/r/r/r at r $(RM) ./t_an.* clean:: Modified: trunk/src/lib/krb5/os/an_to_ln.c =================================================================== --- trunk/src/lib/krb5/os/an_to_ln.c 2009-05-07 20:35:28 UTC (rev 22325) +++ trunk/src/lib/krb5/os/an_to_ln.c 2009-05-11 16:57:45 UTC (rev 22326) @@ -481,142 +481,119 @@ } /* - * rule_an_to_ln() - Handle aname to lname translations for RULE rules. + * Compute selection string for RULE rules. * - * The initial part of this routine handles the formulation of the strings from - * the principal name. + * Advance *contextp to the string position after the selectring + * string part if present, and set *result to the selection string. */ static krb5_error_code -rule_an_to_ln(krb5_context context, char *rule, krb5_const_principal aname, const unsigned int lnsize, char *lname) +aname_get_selstring(krb5_context context, krb5_const_principal aname, + char **contextp, char **result) { - krb5_error_code kret; - char *current; - char *fprincname; - char *selstring = 0; - int num_comps, compind, pos; - size_t selstring_used; - char *cout; - krb5_const krb5_data *datap; - char *outstring; + krb5_error_code kret; + char *fprincname, *current, *str; + long num_comps, compind; + const krb5_data *datap; + struct k5buf selstring; + size_t nlit; - /* - * First flatten the name. - */ - current = rule; - if (!(kret = krb5_unparse_name(context, aname, &fprincname))) { - /* - * First part. - */ - if (*current == '[') { - current++; - if (sscanf(current,"%d:%n", &num_comps, &pos) == 1) { - if (num_comps == aname->length) { - /* - * We have a match based on the number of components. - */ - current += pos; - selstring = (char *) malloc(MAX_FORMAT_BUFFER); - selstring_used = 0; - if (selstring) { - cout = selstring; - /* - * Plow through the string. - */ - while ((*current != ']') && - (*current != '\0')) { - /* - * Expand to a component. - */ - if (*current == '$') { - if ((sscanf(current+1, "%d", &compind) == 1) && - (compind <= num_comps) && - (datap = - (compind > 0) - ? krb5_princ_component(context, aname, - compind-1) - : krb5_princ_realm(context, aname)) - ) { - if ((datap->length < MAX_FORMAT_BUFFER) - && (selstring_used+datap->length - < MAX_FORMAT_BUFFER)) { - selstring_used += datap->length; - } else { - kret = ENOMEM; - goto errout; - } - strncpy(cout, - datap->data, - (unsigned) datap->length); - cout += datap->length; - *cout = '\0'; - current++; - /* Point past number */ - while (isdigit((int) (*current))) - current++; - } - else - kret = KRB5_CONFIG_BADFORMAT; - } - else { - /* Copy in verbatim. */ - *cout = *current; - cout++; - *cout = '\0'; - current++; - } - } + *result = NULL; + if (**contextp != '[') { + /* No selstring part; use the full flattened principal name. */ + kret = krb5_unparse_name(context, aname, &fprincname); + if (kret) + return kret; + str = aname_full_to_mapping_name(fprincname); + free(fprincname); + if (!str) + return ENOMEM; + *result = str; + return 0; + } - /* - * Advance past separator if appropriate. - */ - if (*current == ']') - current++; - else - kret = KRB5_CONFIG_BADFORMAT; + /* Advance past the '[' and read the number of components. */ + current = *contextp + 1; + errno = 0; + num_comps = strtol(current, ¤t, 10); + if (errno != 0 || num_comps < 0 || *current != ':') + return KRB5_CONFIG_BADFORMAT; + if (num_comps != aname->length) + return KRB5_LNAME_NOTRANS; + current++; - errout: if (kret) - free(selstring); - } - else - kret = ENOMEM; - } - else - kret = KRB5_LNAME_NOTRANS; - } - else - kret = KRB5_CONFIG_BADFORMAT; - } - else { - if (!(selstring = aname_full_to_mapping_name(fprincname))) - kret = ENOMEM; - } - free(fprincname); + krb5int_buf_init_dynamic(&selstring); + while (1) { + /* Copy in literal characters up to the next $ or ]. */ + nlit = strcspn(current, "$]"); + krb5int_buf_add_len(&selstring, current, nlit); + current += nlit; + if (*current != '$') + break; + + /* Expand $ substitution to a principal component. */ + errno = 0; + compind = strtol(current + 1, ¤t, 10); + if (errno || compind > num_comps) + break; + datap = (compind > 0) + ? krb5_princ_component(context, aname, compind - 1) + : krb5_princ_realm(context, aname); + if (!datap) + break; + krb5int_buf_add_len(&selstring, datap->data, datap->length); } - if (!kret) { - /* - * Second part - */ - if (*current == '(') - kret = aname_do_match(selstring, ¤t); - /* - * Third part. - */ - if (!kret) { - outstring = (char *) NULL; - kret = aname_replacer(selstring, ¤t, &outstring); - if (outstring) { - /* Copy out the value if there's enough room */ - if (strlcpy(lname, outstring, lnsize) >= lnsize) - kret = KRB5_CONFIG_NOTENUFSPACE; - free(outstring); - } - } - free(selstring); + /* Check that we hit a ']' and not the end of the string. */ + if (*current != ']') { + krb5int_free_buf(&selstring); + return KRB5_CONFIG_BADFORMAT; } - return(kret); + str = krb5int_buf_data(&selstring); + if (str == NULL) + return ENOMEM; + + *contextp = current + 1; + *result = str; + return 0; } + +/* Handle aname to lname translations for RULE rules. */ +static krb5_error_code +rule_an_to_ln(krb5_context context, char *rule, krb5_const_principal aname, + const unsigned int lnsize, char *lname) +{ + krb5_error_code kret; + char *current, *selstring = 0, *outstring = 0; + + /* Compute the selection string. */ + current = rule; + kret = aname_get_selstring(context, aname, ¤t, &selstring); + if (kret) + return kret; + + /* Check the selection string against the regexp, if present. */ + if (*current == '(') { + kret = aname_do_match(selstring, ¤t); + if (kret) + goto cleanup; + } + + /* Perform the substitution. */ + outstring = NULL; + kret = aname_replacer(selstring, ¤t, &outstring); + if (kret) + goto cleanup; + + /* Copy out the value if there's enough room. */ + if (strlcpy(lname, outstring, lnsize) >= lnsize) + kret = KRB5_CONFIG_NOTENUFSPACE; + +cleanup: + free(selstring); + free(outstring); + return kret; +} #endif /* AN_TO_LN_RULES */ /* From tlyu at MIT.EDU Mon May 11 16:55:19 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:19 -0400 Subject: svn rev #22327: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905112055.n4BKtJtD026810@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22327 Commit By: tlyu Log Message: ticket: 6473 version_fixed: 1.7 pull up r22272 from trunk ------------------------------------------------------------------------ r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines Changed paths: M /trunk/src/lib/krb5/krb/gc_via_tkt.c ticket: 6473 tags: pullup In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from credentials obtained using a foreign TGT, unless the TGT also has ok-as-delegate set. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c Modified: branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 16:57:45 UTC (rev 22326) +++ branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 20:55:19 UTC (rev 22327) @@ -144,6 +144,16 @@ return 0; } +/* Return true if a TGS credential is for the client's local realm. */ +static inline int +tgt_is_local_realm(krb5_creds *tgt) +{ + return (tgt->server->length == 2 + && data_eq_string(tgt->server->data[0], KRB5_TGS_NAME) + && data_eq(tgt->server->data[1], tgt->client->realm) + && data_eq(tgt->server->realm, tgt->client->realm)); +} + krb5_error_code krb5_get_cred_via_tkt (krb5_context context, krb5_creds *tkt, krb5_flags kdcoptions, krb5_address *const *address, @@ -289,6 +299,14 @@ goto error_3; } + /* + * Don't trust the ok-as-delegate flag from foreign KDCs unless the + * cross-realm TGT also had the ok-as-delegate flag set. + */ + if (!tgt_is_local_realm(tkt) + && !(tkt->ticket_flags & TKT_FLG_OK_AS_DELEGATE)) + dec_rep->enc_part2->flags &= ~TKT_FLG_OK_AS_DELEGATE; + /* make sure the response hasn't been tampered with..... */ retval = 0; From tlyu at MIT.EDU Mon May 11 16:55:23 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:23 -0400 Subject: svn rev #22328: branches/krb5-1-7/src/lib/krb5/keytab/ Message-ID: <200905112055.n4BKtNgi026847@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22328 Commit By: tlyu Log Message: ticket: 6475 version_fixed: 1.7 pull up r22278 from trunk ------------------------------------------------------------------------ r22278 | ghudson | 2009-04-24 15:49:54 -0400 (Fri, 24 Apr 2009) | 9 lines Changed paths: M /trunk/src/lib/krb5/keytab/kt_file.c ticket: 6475 status: open tags: pullup target_version: 1.7 In krb5_ktfileint_find_slot, don't continue the loop when we find a final zero-length buffer. This is a minimal fix intended to be pulled up to the 1.7 branch; a code cleanup commit will follow. Changed Files: U branches/krb5-1-7/src/lib/krb5/keytab/kt_file.c Modified: branches/krb5-1-7/src/lib/krb5/keytab/kt_file.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/keytab/kt_file.c 2009-05-11 20:55:19 UTC (rev 22327) +++ branches/krb5-1-7/src/lib/krb5/keytab/kt_file.c 2009-05-11 20:55:22 UTC (rev 22328) @@ -1754,6 +1754,7 @@ if (fseek(KTFILEP(id), zero_point, SEEK_SET)) { return errno; } + found = TRUE; } } } From tlyu at MIT.EDU Mon May 11 16:55:26 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:26 -0400 Subject: svn rev #22329: branches/krb5-1-7/src/ lib/kadm5/ tests/misc/ Message-ID: <200905112055.n4BKtQYW026884@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22329 Commit By: tlyu Log Message: ticket: 6477 version_fixed: 1.7 pull up r22280 from trunk ------------------------------------------------------------------------ r22280 | raeburn | 2009-04-25 05:36:11 -0400 (Sat, 25 Apr 2009) | 9 lines Changed paths: M /trunk/src/lib/kadm5/admin.h M /trunk/src/tests/misc/Makefile.in M /trunk/src/tests/misc/deps A /trunk/src/tests/misc/test_cxx_kadm5.cpp ticket: 6477 subject: make installed headers C++-safe target_version: 1.7 tags: pullup Now that we're installing the kadm5 headers, they should be C++-safe like the others. Wrap the content in 'extern "C"' if compiling as C++. New test program to verify. Changed Files: U branches/krb5-1-7/src/lib/kadm5/admin.h U branches/krb5-1-7/src/tests/misc/Makefile.in U branches/krb5-1-7/src/tests/misc/deps A branches/krb5-1-7/src/tests/misc/test_cxx_kadm5.cpp Modified: branches/krb5-1-7/src/lib/kadm5/admin.h =================================================================== --- branches/krb5-1-7/src/lib/kadm5/admin.h 2009-05-11 20:55:22 UTC (rev 22328) +++ branches/krb5-1-7/src/lib/kadm5/admin.h 2009-05-11 20:55:25 UTC (rev 22329) @@ -56,6 +56,18 @@ #include #include +#ifndef KADM5INT_BEGIN_DECLS +#if defined(__cplusplus) +#define KADM5INT_BEGIN_DECLS extern "C" { +#define KADM5INT_END_DECLS } +#else +#define KADM5INT_BEGIN_DECLS +#define KADM5INT_END_DECLS +#endif +#endif + +KADM5INT_BEGIN_DECLS + #define KADM5_ADMIN_SERVICE "kadmin/admin" #define KADM5_CHANGEPW_SERVICE "kadmin/changepw" #define KADM5_HIST_PRINCIPAL "kadmin/history" @@ -790,4 +802,6 @@ #endif /* USE_KADM5_API_VERSION == 1 */ +KADM5INT_END_DECLS + #endif /* __KADM5_ADMIN_H__ */ Modified: branches/krb5-1-7/src/tests/misc/Makefile.in =================================================================== --- branches/krb5-1-7/src/tests/misc/Makefile.in 2009-05-11 20:55:22 UTC (rev 22328) +++ branches/krb5-1-7/src/tests/misc/Makefile.in 2009-05-11 20:55:25 UTC (rev 22329) @@ -12,15 +12,17 @@ $(srcdir)/test_getsockname.c \ $(srcdir)/test_cxx_krb5.cpp \ $(srcdir)/test_cxx_gss.cpp \ - $(srcdir)/test_cxx_rpc.cpp + $(srcdir)/test_cxx_rpc.cpp \ + $(srcdir)/test_cxx_kadm5.cpp all:: test_getpw -check:: test_getpw test_cxx_krb5 test_cxx_gss test_cxx_rpc +check:: test_getpw test_cxx_krb5 test_cxx_gss test_cxx_rpc test_cxx_kadm5 $(RUN_SETUP) $(VALGRIND) ./test_getpw $(RUN_SETUP) $(VALGRIND) ./test_cxx_krb5 $(RUN_SETUP) $(VALGRIND) ./test_cxx_gss $(RUN_SETUP) $(VALGRIND) ./test_cxx_rpc + $(RUN_SETUP) $(VALGRIND) ./test_cxx_kadm5 test_getpw: $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_DEPLIB) $(CC_LINK) $(ALL_CFLAGS) -o test_getpw $(OUTPRE)test_getpw.$(OBJEXT) $(SUPPORT_LIB) @@ -34,13 +36,16 @@ $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_gss $(OUTPRE)test_cxx_gss.$(OBJEXT) $(LIBS) test_cxx_rpc: $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_DEPLIBS) $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_rpc $(OUTPRE)test_cxx_rpc.$(OBJEXT) $(GSSRPC_LIBS) $(KRB5_BASE_LIBS) $(LIBS) +test_cxx_kadm5: $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_DEPLIBS) + $(CXX_LINK) $(ALL_CXXFLAGS) -o test_cxx_kadm5 $(OUTPRE)test_cxx_kadm5.$(OBJEXT) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(LIBS) test_cxx_krb5.$(OBJEXT): test_cxx_krb5.cpp test_cxx_gss.$(OBJEXT): test_cxx_gss.cpp test_cxx_rpc.$(OBJEXT): test_cxx_rpc.cpp +test_cxx_kadm5.$(OBJEXT): test_cxx_kadm5.cpp install:: clean:: - $(RM) test_getpw test_cxx_krb5 test_cxx_gss *.o + $(RM) test_getpw test_cxx_krb5 test_cxx_gss test_cxx_k5int test_cxx_rpc test_cxx_kadm5 *.o Modified: branches/krb5-1-7/src/tests/misc/deps =================================================================== --- branches/krb5-1-7/src/tests/misc/deps 2009-05-11 20:55:22 UTC (rev 22328) +++ branches/krb5-1-7/src/tests/misc/deps 2009-05-11 20:55:25 UTC (rev 22329) @@ -18,3 +18,13 @@ $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ $(SRCTOP)/include/gssrpc/xdr.h test_cxx_rpc.cpp +$(OUTPRE)test_cxx_kadm5.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(SRCTOP)/include/gssrpc/auth.h \ + $(SRCTOP)/include/gssrpc/auth_gss.h $(SRCTOP)/include/gssrpc/auth_unix.h \ + $(SRCTOP)/include/gssrpc/clnt.h $(SRCTOP)/include/gssrpc/rename.h \ + $(SRCTOP)/include/gssrpc/rpc.h $(SRCTOP)/include/gssrpc/rpc_msg.h \ + $(SRCTOP)/include/gssrpc/svc.h $(SRCTOP)/include/gssrpc/svc_auth.h \ + $(SRCTOP)/include/gssrpc/xdr.h $(SRCTOP)/include/kdb.h \ + $(SRCTOP)/include/krb5.h test_cxx_kadm5.cpp Added: branches/krb5-1-7/src/tests/misc/test_cxx_kadm5.cpp =================================================================== --- branches/krb5-1-7/src/tests/misc/test_cxx_kadm5.cpp 2009-05-11 20:55:22 UTC (rev 22328) +++ branches/krb5-1-7/src/tests/misc/test_cxx_kadm5.cpp 2009-05-11 20:55:25 UTC (rev 22329) @@ -0,0 +1,15 @@ +// Test that the kadm5 header is compatible with C++ application code. + +#include "kadm5/admin.h" + +krb5_context ctx; +kadm5_config_params p_in, p_out; +int main (int argc, char *argv[]) +{ + if (argc == 47 && kadm5_get_config_params(ctx, 1, &p_in, &p_out)) { + printf("error\n"); + return 1; + } + printf("hello, world\n"); + return 0; +} From tlyu at MIT.EDU Mon May 11 16:55:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:28 -0400 Subject: svn rev #22330: branches/krb5-1-7/src/ include/ kadmin/cli/ kdc/ lib/kadm5/ Message-ID: <200905112055.n4BKtSUG026924@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22330 Commit By: tlyu Log Message: ticket: 5596 version_fixed: 1.7 pull up r22281 from trunk ------------------------------------------------------------------------ r22281 | ghudson | 2009-04-27 11:42:23 -0400 (Mon, 27 Apr 2009) | 8 lines Changed paths: M /trunk/src/include/kdb.h M /trunk/src/include/kdb_ext.h M /trunk/src/kadmin/cli/kadmin.M M /trunk/src/kadmin/cli/kadmin.c M /trunk/src/kdc/do_tgs_req.c M /trunk/src/lib/kadm5/str_conv.c ticket: 5596 Move KRB5_KDB_OK_AS_DELEGATE from kdb_ext.h to kdb.h. Add kadmin support for the flag. In the KDC, remove the restriction on returning the flag on cross-realm TGTs since there is now a defined meaning for that (it allows ok-as-delegate to be honored on the foreign realm's service tickets). Changed Files: U branches/krb5-1-7/src/include/kdb.h U branches/krb5-1-7/src/include/kdb_ext.h U branches/krb5-1-7/src/kadmin/cli/kadmin.M U branches/krb5-1-7/src/kadmin/cli/kadmin.c U branches/krb5-1-7/src/kdc/do_tgs_req.c U branches/krb5-1-7/src/lib/kadm5/str_conv.c Modified: branches/krb5-1-7/src/include/kdb.h =================================================================== --- branches/krb5-1-7/src/include/kdb.h 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/include/kdb.h 2009-05-11 20:55:28 UTC (rev 22330) @@ -95,6 +95,7 @@ #define KRB5_KDB_PWCHANGE_SERVICE 0x00002000 #define KRB5_KDB_SUPPORT_DESMD5 0x00004000 #define KRB5_KDB_NEW_PRINC 0x00008000 +#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Creation flags */ #define KRB5_KDB_CREATE_BTREE 0x00000001 Modified: branches/krb5-1-7/src/include/kdb_ext.h =================================================================== --- branches/krb5-1-7/src/include/kdb_ext.h 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/include/kdb_ext.h 2009-05-11 20:55:28 UTC (rev 22330) @@ -31,8 +31,6 @@ #ifndef KRB5_KDB5_EXT__ #define KRB5_KDB5_EXT__ -/* Can be delegated as in TicketFlags */ -#define KRB5_KDB_OK_AS_DELEGATE 0x00100000 /* Allowed to use protocol transition */ #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 /* Service does not require authorization data */ Modified: branches/krb5-1-7/src/kadmin/cli/kadmin.M =================================================================== --- branches/krb5-1-7/src/kadmin/cli/kadmin.M 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/kadmin/cli/kadmin.M 2009-05-11 20:55:28 UTC (rev 22330) @@ -341,6 +341,16 @@ .B -requires_hwauth clears this flag. .TP +{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP +.B +ok_as_delegate +sets the OK-AS-DELEGATE flag on tickets issued for use with this principal +as the service, which clients may use as a hint that credentials can and +should be delegated when authenticating to the service. (Sets the +.SM KRB5_KDB_OK_AS_DELEGATE +flag.) +.B -ok_as_delegate +clears this flag. +.TP {\fB\-\fP|\fB+\fP}\fBallow_svr\fP .B -allow_svr prohibits the issuance of service tickets for this principal. (Sets the Modified: branches/krb5-1-7/src/kadmin/cli/kadmin.c =================================================================== --- branches/krb5-1-7/src/kadmin/cli/kadmin.c 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/kadmin/cli/kadmin.c 2009-05-11 20:55:28 UTC (rev 22330) @@ -71,7 +71,8 @@ {"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0}, {"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1}, {"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 }, -{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 } +{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }, +{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 } }; static char *prflags[] = { @@ -91,6 +92,11 @@ "PWCHANGE_SERVICE", /* 0x00002000 */ "SUPPORT_DESMD5", /* 0x00004000 */ "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ }; char *getenv(); @@ -1117,6 +1123,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n"); } @@ -1133,6 +1140,7 @@ "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n", "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n", "\t\trequires_hwauth needchange allow_svr password_changing_service\n" + "\t\tok_as_delegate\n" "\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n" "\t\t\tLook at each database documentation for supported arguments\n" ); Modified: branches/krb5-1-7/src/kdc/do_tgs_req.c =================================================================== --- branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/kdc/do_tgs_req.c 2009-05-11 20:55:28 UTC (rev 22330) @@ -417,11 +417,8 @@ enc_tkt_reply.flags = 0; enc_tkt_reply.times.starttime = 0; - if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) && - !is_referral) { - /* Ensure that we are not returning a referral */ + if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE); - } /* * Fix header_ticket's starttime; if it's zero, fill in the Modified: branches/krb5-1-7/src/lib/kadm5/str_conv.c =================================================================== --- branches/krb5-1-7/src/lib/kadm5/str_conv.c 2009-05-11 20:55:25 UTC (rev 22329) +++ branches/krb5-1-7/src/lib/kadm5/str_conv.c 2009-05-11 20:55:28 UTC (rev 22330) @@ -73,6 +73,7 @@ static const char flags_tickets_in[] = "allow-tickets"; static const char flags_preauth_in[] = "preauth"; static const char flags_hwauth_in[] = "hwauth"; +static const char flags_ok_as_delegate_in[] = "ok-as-delegate"; static const char flags_pwchange_in[] = "pwchange"; static const char flags_service_in[] = "service"; static const char flags_pwsvc_in[] = "pwservice"; @@ -86,6 +87,7 @@ static const char flags_tickets_out[] = "All Tickets Disallowed"; static const char flags_preauth_out[] = "Preauthorization required"; static const char flags_hwauth_out[] = "HW Authorization required"; +static const char flags_ok_as_delegate_out[] = "OK as Delegate"; static const char flags_pwchange_out[] = "Password Change required"; static const char flags_service_out[] = "Service Disabled"; static const char flags_pwsvc_out[] = "Password Changing Service"; @@ -109,6 +111,7 @@ { KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out }, { KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out }, { KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out }, +{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out }, { KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out}, { KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out }, { KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out }, From tlyu at MIT.EDU Mon May 11 16:55:45 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:45 -0400 Subject: svn rev #22331: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905112055.n4BKtjM3026979@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22331 Commit By: tlyu Log Message: ticket: 6478 version_fixed: 1.7 pull up r22283, r22288 from trunk. r22283 was not originally part of this ticket but is a prereq for the mk_cred.c change. ------------------------------------------------------------------------ r22288 | ghudson | 2009-04-28 14:00:13 -0400 (Tue, 28 Apr 2009) | 14 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c M /trunk/src/lib/krb5/krb/mk_priv.c M /trunk/src/lib/krb5/krb/mk_safe.c ticket: 6478 subject: Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred Regularize the handling of KRB5_AUTH_CONTEXT_RET_SEQUENCE in krb5_mk_safe, krb5_mk_priv, and krb5_mk_ncred, using krb5_mk_safe as a baseline. RET_SEQUENCE now implies DO_SEQUENCE for all three functions, the sequence number is always incremented if it is used, and outdata->seq is always set if RET_SEQUENCE is passed. Note that in the corresponding rd_ functions, RET_SEQUENCE and DO_SEQUENCE are independent flags, which is not consistent with the above. This compromise is intended to preserve compatibility with any working code which might exist using the RET_SEQUENCE flag. ------------------------------------------------------------------------ r22283 | ghudson | 2009-04-27 19:48:22 -0400 (Mon, 27 Apr 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/mk_cred.c Fix a few memory leaks in krb5_mk_ncred. Also tighten up the error handling of the sequence number, only decreasing it if it was increased. The handling of DO_SEQUENCE and RET_SEQUENCE may still be flawed in some cases. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c U branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c U branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c 2009-05-11 20:55:28 UTC (rev 22330) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_cred.c 2009-05-11 20:55:45 UTC (rev 22331) @@ -162,14 +162,14 @@ krb5_replay_data replaydata; krb5_cred * pcred; krb5_int32 ncred; + krb5_boolean increased_sequence = FALSE; local_fulladdr.contents = 0; remote_fulladdr.contents = 0; memset(&replaydata, 0, sizeof(krb5_replay_data)); - if (ppcreds == NULL) { + if (ppcreds == NULL) return KRB5KRB_AP_ERR_BADADDR; - } /* * Allocate memory for a NULL terminated list of tickets. @@ -183,8 +183,8 @@ if ((pcred->tickets = (krb5_ticket **)calloc((size_t)ncred+1, sizeof(krb5_ticket *))) == NULL) { - free(pcred); - return ENOMEM; + retval = ENOMEM; + goto error; } /* Get keyblock */ @@ -193,30 +193,32 @@ /* Get replay info */ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) && - (auth_context->rcache == NULL)) - return KRB5_RC_REQUIRED; + (auth_context->rcache == NULL)) { + retval = KRB5_RC_REQUIRED; + goto error; + } if (((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) || - (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) && - (outdata == NULL)) + (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + && (outdata == NULL)) { /* Need a better error */ - return KRB5_RC_REQUIRED; + retval = KRB5_RC_REQUIRED; + goto error; + } if ((retval = krb5_us_timeofday(context, &replaydata.timestamp, &replaydata.usec))) - return retval; + goto error; if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_TIME) { outdata->timestamp = replaydata.timestamp; outdata->usec = replaydata.usec; } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - } else { + replaydata.seq = auth_context->local_seq_number++; + increased_sequence = TRUE; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } if (auth_context->local_addr) { @@ -273,15 +275,12 @@ retval = encode_krb5_cred(pcred, ppdata); error: - if (local_fulladdr.contents) - free(local_fulladdr.contents); - if (remote_fulladdr.contents) - free(remote_fulladdr.contents); + free(local_fulladdr.contents); + free(remote_fulladdr.contents); krb5_free_cred(context, pcred); if (retval) { - if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) - || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) + if (increased_sequence) auth_context->local_seq_number--; } return retval; Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c 2009-05-11 20:55:28 UTC (rev 22330) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_priv.c 2009-05-11 20:55:45 UTC (rev 22331) @@ -151,12 +151,9 @@ } if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { - replaydata.seq = auth_context->local_seq_number; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) { - auth_context->local_seq_number++; - } else { + replaydata.seq = auth_context->local_seq_number++; + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } { Modified: branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c 2009-05-11 20:55:28 UTC (rev 22330) +++ branches/krb5-1-7/src/lib/krb5/krb/mk_safe.c 2009-05-11 20:55:45 UTC (rev 22331) @@ -152,9 +152,8 @@ if ((auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_SEQUENCE) || (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE)) { replaydata.seq = auth_context->local_seq_number++; - if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) { + if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_RET_SEQUENCE) outdata->seq = replaydata.seq; - } } { From tlyu at MIT.EDU Mon May 11 16:55:48 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:48 -0400 Subject: svn rev #22332: branches/krb5-1-7/src/clients/ksu/ Message-ID: <200905112055.n4BKtm0u027016@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22332 Commit By: tlyu Log Message: ticket: 6472 version_fixed: 1.7 pull up r22290 from trunk ------------------------------------------------------------------------ r22290 | tlyu | 2009-04-28 20:31:50 -0400 (Tue, 28 Apr 2009) | 5 lines Changed paths: M /trunk/src/clients/ksu/krb_auth_su.c ticket: 6472 target_version: 1.7 tags: pullup Fix typo in error message reported by Marek Mahut (Red Hat). Changed Files: U branches/krb5-1-7/src/clients/ksu/krb_auth_su.c Modified: branches/krb5-1-7/src/clients/ksu/krb_auth_su.c =================================================================== --- branches/krb5-1-7/src/clients/ksu/krb_auth_su.c 2009-05-11 20:55:45 UTC (rev 22331) +++ branches/krb5-1-7/src/clients/ksu/krb_auth_su.c 2009-05-11 20:55:48 UTC (rev 22332) @@ -179,7 +179,7 @@ if ((retval = krb5_get_cred_from_kdc(context, cc, &in_creds, &out_creds, &tgts))){ - com_err(prog_name, retval, "while geting credentials from kdc"); + com_err(prog_name, retval, "while getting credentials from kdc"); return (FALSE); } From tlyu at MIT.EDU Mon May 11 16:55:54 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:54 -0400 Subject: svn rev #22334: branches/krb5-1-7/src/kdc/ Message-ID: <200905112055.n4BKtsgH027099@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22334 Commit By: tlyu Log Message: ticket: 6480 version_fixed: 1.7 pull up r22292 from trunk ------------------------------------------------------------------------ r22292 | hartmans | 2009-04-29 20:38:48 -0400 (Wed, 29 Apr 2009) | 10 lines Changed paths: M /trunk/src/kdc/kdc_preauth.c ticket: 6480 Subject: Do not return PREAUTH_FAILED on unknown preauth Target_Version: 1.7 Tags: pullup If the KDC receives unknown pre-authentication data then ignore it. Do not get into a case where PREAUTH_FAILED is returned because of unknown pre-authentication. The main AS loop will cause PREAUTH_REQUIRED to be returned if the preauth_required flag is set and no valid preauth is found. Changed Files: U branches/krb5-1-7/src/kdc/kdc_preauth.c Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-05-11 20:55:51 UTC (rev 22333) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-05-11 20:55:54 UTC (rev 22334) @@ -1204,17 +1204,11 @@ if (pa_ok) return 0; - /* pa system was not found, but principal doesn't require preauth */ - if (!pa_found && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH) && - !isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH)) + /* pa system was not found; we may return PREAUTH_REQUIRED later, + but we did not actually fail to verify the pre-auth. */ + if (!pa_found) return 0; - if (!pa_found) { - emsg = krb5_get_error_message(context, retval); - krb5_klog_syslog (LOG_INFO, "no valid preauth type found: %s", emsg); - krb5_free_error_message(context, emsg); - } /* The following switch statement allows us * to return some preauth system errors back to the client. From tlyu at MIT.EDU Mon May 11 16:55:51 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:51 -0400 Subject: svn rev #22333: branches/krb5-1-7/src/ include/ lib/krb5/ lib/krb5/krb/ util/support/ Message-ID: <200905112055.n4BKtpbv027062@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22333 Commit By: tlyu Log Message: ticket: 6479 version_fixed: 1.7 pull up r22291 from trunk ------------------------------------------------------------------------ r22291 | ghudson | 2009-04-29 19:21:21 -0400 (Wed, 29 Apr 2009) | 9 lines Changed paths: M /trunk/src/include/k5-err.h M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/kerrs.c M /trunk/src/lib/krb5/libkrb5.exports M /trunk/src/util/support/errors.c M /trunk/src/util/support/libkrb5support-fixed.exports ticket: 6479 subject: Add DEBUG_ERROR_LOCATIONS support If DEBUG_ERROR_LOCATIONS is defined, replace uses of krb5_set_error_message and krb5int_set_error with calls to the new _fl variants of those functions, and include filename and line number information in the calls. Requires C99-style variadic macros if defined. Changed Files: U branches/krb5-1-7/src/include/k5-err.h U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/kerrs.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports U branches/krb5-1-7/src/util/support/errors.c U branches/krb5-1-7/src/util/support/libkrb5support-fixed.exports Modified: branches/krb5-1-7/src/include/k5-err.h =================================================================== --- branches/krb5-1-7/src/include/k5-err.h 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/include/k5-err.h 2009-05-11 20:55:51 UTC (rev 22333) @@ -65,6 +65,22 @@ __attribute__((__format__(__printf__, 3, 0))) #endif ; +void +krb5int_set_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, ...) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 5, 6))) +#endif + ; +void +krb5int_vset_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, va_list args) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 5, 0))) +#endif + ; const char * krb5int_get_error (struct errinfo *ep, long code); void @@ -74,4 +90,9 @@ void krb5int_set_error_info_callout_fn (const char *(KRB5_CALLCONV *f)(long)); +#ifdef DEBUG_ERROR_LOCATIONS +#define krb5int_set_error(ep, code, ...) \ + krb5int_set_error_fl(ep, code, __FILE__, __LINE__, __VA_ARGS__) +#endif + #endif /* K5_ERR_H */ Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/include/k5-int.h 2009-05-11 20:55:51 UTC (rev 22333) @@ -2828,4 +2828,9 @@ const krb5_keyblock *privsvr_key, krb5_data *data); +#ifdef DEBUG_ERROR_LOCATIONS +#define krb5_set_error_message(ctx, code, ...) \ + krb5_set_error_message_fl(ctx, code, __FILE__, __LINE__, __VA_ARGS__) +#endif + #endif /* _KRB5_INT_H */ Modified: branches/krb5-1-7/src/lib/krb5/krb/kerrs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/kerrs.c 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/lib/krb5/krb/kerrs.c 2009-05-11 20:55:51 UTC (rev 22333) @@ -35,6 +35,7 @@ #endif #endif +#undef krb5_set_error_message void KRB5_CALLCONV_C krb5_set_error_message (krb5_context ctx, krb5_error_code code, const char *fmt, ...) @@ -57,6 +58,28 @@ va_end (args); } +void KRB5_CALLCONV_C +krb5_set_error_message_fl (krb5_context ctx, krb5_error_code code, + const char *file, int line, const char *fmt, ...) +{ + va_list args; + if (ctx == NULL) + return; + va_start (args, fmt); +#ifdef DEBUG + if (ERROR_MESSAGE_DEBUG()) + fprintf(stderr, + "krb5_set_error_message(ctx=%p/err=%p, code=%ld, ...)\n", + ctx, &ctx->err, (long) code); +#endif + krb5int_vset_error_fl (&ctx->err, code, file, line, fmt, args); +#ifdef DEBUG + if (ERROR_MESSAGE_DEBUG()) + fprintf(stderr, "->%s\n", ctx->err.msg); +#endif + va_end (args); +} + void KRB5_CALLCONV krb5_vset_error_message (krb5_context ctx, krb5_error_code code, const char *fmt, va_list args) Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-05-11 20:55:51 UTC (rev 22333) @@ -487,6 +487,7 @@ krb5_set_default_tgs_enctypes krb5_set_default_tgs_ktypes krb5_set_error_message +krb5_set_error_message_fl krb5_set_password krb5_set_password_using_ccache krb5_set_principal_realm Modified: branches/krb5-1-7/src/util/support/errors.c =================================================================== --- branches/krb5-1-7/src/util/support/errors.c 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/util/support/errors.c 2009-05-11 20:55:51 UTC (rev 22333) @@ -34,21 +34,40 @@ #define lock() k5_mutex_lock(&krb5int_error_info_support_mutex) #define unlock() k5_mutex_unlock(&krb5int_error_info_support_mutex) +#undef krb5int_set_error void krb5int_set_error (struct errinfo *ep, long code, const char *fmt, ...) { va_list args; va_start (args, fmt); - krb5int_vset_error (ep, code, fmt, args); + krb5int_vset_error_fl (ep, code, NULL, 0, fmt, args); va_end (args); } void +krb5int_set_error_fl (struct errinfo *ep, long code, + const char *file, int line, const char *fmt, ...) +{ + va_list args; + va_start (args, fmt); + krb5int_vset_error_fl (ep, code, file, line, fmt, args); + va_end (args); +} + +void krb5int_vset_error (struct errinfo *ep, long code, const char *fmt, va_list args) { + krb5int_vset_error_fl(ep, code, NULL, 0, fmt, args); +} + +void +krb5int_vset_error_fl (struct errinfo *ep, long code, + const char *file, int line, + const char *fmt, va_list args) +{ va_list args2; - char *str = NULL; + char *str = NULL, *str2, *slash; const char *loc_fmt = NULL; #ifdef USE_KIM @@ -66,6 +85,17 @@ str = NULL; } va_end(args2); + + if (str && line) { + /* Try to add file and line suffix. */ + slash = strrchr(file, '/'); + if (slash) + file = slash + 1; + if (asprintf(&str2, "%s (%s: %d)", str, file, line) > 0) { + free(str); + str = str2; + } + } /* If that failed, try using scratch_buf */ if (str == NULL) { Modified: branches/krb5-1-7/src/util/support/libkrb5support-fixed.exports =================================================================== --- branches/krb5-1-7/src/util/support/libkrb5support-fixed.exports 2009-05-11 20:55:48 UTC (rev 22332) +++ branches/krb5-1-7/src/util/support/libkrb5support-fixed.exports 2009-05-11 20:55:51 UTC (rev 22333) @@ -24,6 +24,8 @@ krb5int_mutex_unlock krb5int_set_error krb5int_vset_error +krb5int_set_error_fl +krb5int_vset_error_fl krb5int_get_error krb5int_free_error krb5int_clear_error From tlyu at MIT.EDU Mon May 11 16:55:57 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:55:57 -0400 Subject: svn rev #22335: branches/krb5-1-7/src/lib/crypto/ des/ Message-ID: <200905112055.n4BKtvas027138@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22335 Commit By: tlyu Log Message: ticket: 5587 version_fixed: 1.7 pull up r22298 from trunk ------------------------------------------------------------------------ r22298 | hartmans | 2009-04-30 16:17:42 -0400 (Thu, 30 Apr 2009) | 10 lines Changed paths: M /trunk/src/lib/crypto/des/Makefile.in M /trunk/src/lib/crypto/des/des_int.h A /trunk/src/lib/crypto/des/des_prf.c (from /trunk/src/lib/crypto/dk/dk_prf.c:22295) M /trunk/src/lib/crypto/etypes.c M /trunk/src/lib/crypto/t_cf2.comments M /trunk/src/lib/crypto/t_cf2.expected M /trunk/src/lib/crypto/t_cf2.in ticket: 5587 Tags: pullup Implement DES and 3DES PRF. Patch fromKAMADA Ken'ichi Currently the DES and 3DES PRF output 16-byte results. This is consistent with RFC 3961, but we need to confirm it is consistent with Heimdal and WG decisions. See IETF 74 minutes for some discussion of the concern as it applies to AES and thus possibly all simplified profile enctypes. Changed Files: U branches/krb5-1-7/src/lib/crypto/des/Makefile.in U branches/krb5-1-7/src/lib/crypto/des/des_int.h A branches/krb5-1-7/src/lib/crypto/des/des_prf.c U branches/krb5-1-7/src/lib/crypto/etypes.c U branches/krb5-1-7/src/lib/crypto/t_cf2.comments U branches/krb5-1-7/src/lib/crypto/t_cf2.expected U branches/krb5-1-7/src/lib/crypto/t_cf2.in Modified: branches/krb5-1-7/src/lib/crypto/des/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/crypto/des/Makefile.in 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/des/Makefile.in 2009-05-11 20:55:57 UTC (rev 22335) @@ -18,6 +18,7 @@ d3_cbc.o \ d3_aead.o \ d3_kysched.o \ + des_prf.o \ f_aead.o \ f_cbc.o \ f_cksum.o \ @@ -32,6 +33,7 @@ $(OUTPRE)d3_cbc.$(OBJEXT) \ $(OUTPRE)d3_aead.$(OBJEXT) \ $(OUTPRE)d3_kysched.$(OBJEXT) \ + $(OUTPRE)des_prf.$(OBJEXT) \ $(OUTPRE)f_aead.$(OBJEXT) \ $(OUTPRE)f_cbc.$(OBJEXT) \ $(OUTPRE)f_cksum.$(OBJEXT) \ @@ -46,6 +48,7 @@ $(srcdir)/d3_cbc.c \ $(srcdir)/d3_aead.c \ $(srcdir)/d3_kysched.c \ + $(srcdir)/des_prf.c \ $(srcdir)/f_aead.c \ $(srcdir)/f_cbc.c \ $(srcdir)/f_cksum.c \ Modified: branches/krb5-1-7/src/lib/crypto/des/des_int.h =================================================================== --- branches/krb5-1-7/src/lib/crypto/des/des_int.h 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/des/des_int.h 2009-05-11 20:55:57 UTC (rev 22335) @@ -374,5 +374,9 @@ extern krb5_error_code mit_des_set_random_sequence_number (const krb5_data * sequence, krb5_pointer random_state); - +krb5_error_code +krb5int_des_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out); #endif /*DES_INTERNAL_DEFS*/ Added: branches/krb5-1-7/src/lib/crypto/des/des_prf.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/des/des_prf.c 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/des/des_prf.c 2009-05-11 20:55:57 UTC (rev 22335) @@ -0,0 +1,54 @@ +/* + * lib/crypto/des/des_prf.c + * + * Copyright (C) 2004, 2009 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * + * + * This file contains an implementation of the RFC 3961 PRF for + * des-cbc-crc, des-cbc-md4, and des-cbc-md5 enctypes. + */ + +#include "k5-int.h" +#include "../hash_provider/hash_provider.h" /* XXX is this ok? */ + +krb5_error_code +krb5int_des_prf (const struct krb5_enc_provider *enc, + const struct krb5_hash_provider *hash, + const krb5_keyblock *key, + const krb5_data *in, krb5_data *out) +{ + krb5_data tmp; + krb5_error_code ret = 0; + + hash = &krb5int_hash_md5; /* MD5 is always used. */ + tmp.length = hash->hashsize; + tmp.data = malloc(hash->hashsize); + if (tmp.data == NULL) + return ENOMEM; + ret = hash->hash(1, in, &tmp); + if (ret == 0) + ret = enc->encrypt(key, NULL, &tmp, out); + free(tmp.data); + return ret; +} Modified: branches/krb5-1-7/src/lib/crypto/etypes.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/etypes.c 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/etypes.c 2009-05-11 20:55:57 UTC (rev 22335) @@ -33,6 +33,7 @@ #include "dk.h" #include "arcfour.h" #include "aes_s2k.h" +#include "des/des_int.h" /* these will be linear searched. if they ever get big, a binary search or hash table would be better, which means these would need @@ -44,47 +45,47 @@ { ENCTYPE_DES_CBC_CRC, "des-cbc-crc", { 0 }, "DES cbc mode with CRC-32", &krb5int_enc_des, &krb5int_hash_crc32, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD5, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD4, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, - 8, + 16, krb5_old_encrypt_length, krb5_old_encrypt, krb5_old_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, CKSUMTYPE_RSA_MD5, NULL, /*AEAD*/ ETYPE_WEAK }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", { 0 }, "DES cbc mode raw", &krb5int_enc_des, NULL, - 8, + 16, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, krb5int_des_string_to_key, - NULL, /*PRF*/ + krb5int_des_prf, 0, &krb5int_aead_raw, ETYPE_WEAK }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, - 8, + 16, krb5_raw_encrypt_length, krb5_raw_encrypt, krb5_raw_decrypt, krb5int_dk_string_to_key, NULL, /*PRF*/ @@ -96,10 +97,10 @@ "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, "Triple DES cbc mode with HMAC/sha1", &krb5int_enc_des3, &krb5int_hash_sha1, - 8, + 16, krb5_dk_encrypt_length, krb5_dk_encrypt, krb5_dk_decrypt, krb5int_dk_string_to_key, - NULL, /*PRF*/ + krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_DES3, &krb5int_aead_dk, 0 /*flags*/ }, Modified: branches/krb5-1-7/src/lib/crypto/t_cf2.comments =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.comments 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.comments 2009-05-11 20:55:57 UTC (rev 22335) @@ -1,3 +1,5 @@ The first test mirrors the first two tests in t_prf.in. The second test mirrors the following four tests in t_prf.in. + +The third and fourth tests are simple tests of the DES and 3DES PRF. Modified: branches/krb5-1-7/src/lib/crypto/t_cf2.expected =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.expected 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.expected 2009-05-11 20:55:57 UTC (rev 22335) @@ -1,2 +1,4 @@ 97df97e4b798b29eb31ed7280287a92a 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b +43bae3738c9467e6 +e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 Modified: branches/krb5-1-7/src/lib/crypto/t_cf2.in =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_cf2.in 2009-05-11 20:55:54 UTC (rev 22334) +++ branches/krb5-1-7/src/lib/crypto/t_cf2.in 2009-05-11 20:55:57 UTC (rev 22335) @@ -8,3 +8,13 @@ key2 a b +1 +key1 +key2 +a +b +16 +key1 +key2 +a +b From tlyu at MIT.EDU Mon May 11 16:56:00 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:00 -0400 Subject: svn rev #22336: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905112056.n4BKu0A7027176@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22336 Commit By: tlyu Log Message: ticket: 6401 version_fixed: 1.7 pull up r22310 from trunk ------------------------------------------------------------------------ r22310 | ghudson | 2009-05-05 12:30:19 -0400 (Tue, 05 May 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/get_in_tkt.c ticket: 6401 In krb5_get_in_tkt, free the whole encoded request (since the structure was allocated by encode_krb5_as_req), not just the contents. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c Modified: branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-05-11 20:55:57 UTC (rev 22335) +++ branches/krb5-1-7/src/lib/krb5/krb/get_in_tkt.c 2009-05-11 20:55:59 UTC (rev 22336) @@ -650,7 +650,7 @@ retval = send_as_request(context, encoded_request, krb5_princ_realm(context, request.client), &err_reply, &as_reply, &use_master); - krb5_free_data_contents(context, encoded_request); + krb5_free_data(context, encoded_request); if (retval != 0) goto cleanup; From tlyu at MIT.EDU Mon May 11 16:56:17 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:17 -0400 Subject: svn rev #22337: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905112056.n4BKuH8t027229@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22337 Commit By: tlyu Log Message: ticket: 6210 version_fixed: 1.7 pull up r22319 from trunk ------------------------------------------------------------------------ r22319 | ghudson | 2009-05-06 14:52:44 -0400 (Wed, 06 May 2009) | 5 lines Changed paths: M /trunk/src/lib/krb5/krb/preauth2.c ticket: 6210 In pa_sam, use the correct function to free sam_challenge in the success path. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/preauth2.c Modified: branches/krb5-1-7/src/lib/krb5/krb/preauth2.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-05-11 20:55:59 UTC (rev 22336) +++ branches/krb5-1-7/src/lib/krb5/krb/preauth2.c 2009-05-11 20:56:16 UTC (rev 22337) @@ -1019,7 +1019,7 @@ sam_response.sam_type = sam_challenge->sam_type; sam_response.magic = KV5M_SAM_RESPONSE; - free(sam_challenge); + krb5_free_sam_challenge(context, sam_challenge); /* encode the encoded part of the response */ if ((ret = encode_krb5_enc_sam_response_enc(&enc_sam_response_enc, From tlyu at MIT.EDU Mon May 11 16:56:33 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:33 -0400 Subject: svn rev #22338: branches/krb5-1-7/src/lib/kadm5/ srv/ unit-test/api.0/ unit-test/api.2/ Message-ID: <200905112056.n4BKuXG3027271@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22338 Commit By: tlyu Log Message: ticket: 6482 version_fixed: 1.7 pull up r22323 from trunk ------------------------------------------------------------------------ r22323 | ghudson | 2009-05-07 15:51:46 -0400 (Thu, 07 May 2009) | 8 lines Changed paths: M /trunk/src/lib/kadm5/srv/svr_policy.c M /trunk/src/lib/kadm5/unit-test/api.0/crte-policy.exp M /trunk/src/lib/kadm5/unit-test/api.2/crte-policy.exp ticket: 6482 subject: Allow more than 10 past keys to be stored by a policy target_version: 1.7 tags: pullup Remove the arbitrary limit of 10 past keys in policies. We were not taking advantage of that limit in any other code. Changed Files: U branches/krb5-1-7/src/lib/kadm5/srv/svr_policy.c U branches/krb5-1-7/src/lib/kadm5/unit-test/api.0/crte-policy.exp U branches/krb5-1-7/src/lib/kadm5/unit-test/api.2/crte-policy.exp Modified: branches/krb5-1-7/src/lib/kadm5/srv/svr_policy.c =================================================================== --- branches/krb5-1-7/src/lib/kadm5/srv/svr_policy.c 2009-05-11 20:56:16 UTC (rev 22337) +++ branches/krb5-1-7/src/lib/kadm5/srv/svr_policy.c 2009-05-11 20:56:33 UTC (rev 22338) @@ -15,7 +15,6 @@ #include #include -#define MAX_PW_HISTORY 10 #define MIN_PW_HISTORY 1 #define MIN_PW_CLASSES 1 #define MAX_PW_CLASSES 5 @@ -132,8 +131,7 @@ if (!(mask & KADM5_PW_HISTORY_NUM)) pent.pw_history_num = MIN_PW_HISTORY; else { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) + if(entry->pw_history_num < MIN_PW_HISTORY) return KADM5_BAD_HISTORY; else pent.pw_history_num = entry->pw_history_num; @@ -242,8 +240,7 @@ p->pw_min_classes = entry->pw_min_classes; } if ((mask & KADM5_PW_HISTORY_NUM)) { - if(entry->pw_history_num < MIN_PW_HISTORY || - entry->pw_history_num > MAX_PW_HISTORY) { + if(entry->pw_history_num < MIN_PW_HISTORY) { krb5_db_free_policy(handle->context, p); return KADM5_BAD_HISTORY; } Modified: branches/krb5-1-7/src/lib/kadm5/unit-test/api.0/crte-policy.exp =================================================================== --- branches/krb5-1-7/src/lib/kadm5/unit-test/api.0/crte-policy.exp 2009-05-11 20:56:16 UTC (rev 22337) +++ branches/krb5-1-7/src/lib/kadm5/unit-test/api.0/crte-policy.exp 2009-05-11 20:56:33 UTC (rev 22338) @@ -743,41 +743,6 @@ } test21 -# Description: (21.5) Rejects 11 for pw_history_num. -# 01/24/94: pshuang: untried. - -test "create-policy 21.5" -proc test215 {} { - global test - global prompt - - if {! (( ! [policy_exists "$test/a"]) || - [delete_policy "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - - if {! [cmd { - ovsec_kadm_init admin admin $OVSEC_KADM_ADMIN_SERVICE null \ - $OVSEC_KADM_STRUCT_VERSION $OVSEC_KADM_API_VERSION_1 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - - one_line_fail_test [format { - ovsec_kadm_create_policy $server_handle {"%s/a" 0 0 0 0 11 0} \ - {OVSEC_KADM_POLICY OVSEC_KADM_PW_HISTORY_NUM} - } $test] "BAD_HISTORY" - if { ! [cmd {ovsec_kadm_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test215 - - # Description: (22) Fails for user with no access bits. test "create-policy 22" proc test22 {} { Modified: branches/krb5-1-7/src/lib/kadm5/unit-test/api.2/crte-policy.exp =================================================================== --- branches/krb5-1-7/src/lib/kadm5/unit-test/api.2/crte-policy.exp 2009-05-11 20:56:16 UTC (rev 22337) +++ branches/krb5-1-7/src/lib/kadm5/unit-test/api.2/crte-policy.exp 2009-05-11 20:56:33 UTC (rev 22338) @@ -743,41 +743,6 @@ } test21 -# Description: (21.5) Rejects 11 for pw_history_num. -# 01/24/94: pshuang: untried. - -test "create-policy 21.5" -proc test215 {} { - global test - global prompt - - if {! (( ! [policy_exists "$test/a"]) || - [delete_policy "$test/a"])} { - error_and_restart "$test: couldn't delete principal \"$test/a\"" - return - } - - if {! [cmd { - kadm5_init admin admin $KADM5_ADMIN_SERVICE null \ - $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \ - server_handle - }]} { - perror "$test: unexpected failure in init" - return - } - - one_line_fail_test [format { - kadm5_create_policy $server_handle {"%s/a" 0 0 0 0 11 0} \ - {KADM5_POLICY KADM5_PW_HISTORY_NUM} - } $test] "BAD_HISTORY" - if { ! [cmd {kadm5_destroy $server_handle}]} { - perror "$test: unexpected failure in destroy" - return - } -} -test215 - - # Description: (22) Fails for user with no access bits. test "create-policy 22" proc test22 {} { From tlyu at MIT.EDU Mon May 11 16:56:53 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:53 -0400 Subject: svn rev #22340: branches/krb5-1-7/src/ include/ lib/krb5/ lib/krb5/krb/ Message-ID: <200905112056.n4BKurJK027362@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22340 Commit By: tlyu Log Message: ticket: 6484 version_fixed: 1.7 pull up r22325 from trunk ------------------------------------------------------------------------ r22325 | hartmans | 2009-05-07 16:35:28 -0400 (Thu, 07 May 2009) | 18 lines Changed paths: M /trunk/src/include/k5-int.h M /trunk/src/lib/krb5/krb/decode_kdc.c M /trunk/src/lib/krb5/krb/gc_via_tkt.c M /trunk/src/lib/krb5/libkrb5.exports Subject: Try decrypting using session key if subkey fails in tgs rep handling ticket: 6484 Tags: pullup Target_Version: 1.7 Heimdal at least up through 1.2 incorrectly encrypts the TGS response in the session key not the subkey when a subkey is supplied. See RFC 4120 page 35. Work around this by trying decryption using the session key after the subkey fails. * decode_kdc_rep.c: rename to krb5int_decode_tgs_rep; only used for TGS and now needs to take keyusage * gc_via_tkt: pass in session key and appropriate usage if subkey fails. Note that the dead code to process AS responses in decode_kdc_rep is not removed by this commit. That will be removed as FAST TGS client support is integrated post 1.7. Changed Files: U branches/krb5-1-7/src/include/k5-int.h U branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c U branches/krb5-1-7/src/lib/krb5/libkrb5.exports Modified: branches/krb5-1-7/src/include/k5-int.h =================================================================== --- branches/krb5-1-7/src/include/k5-int.h 2009-05-11 20:56:50 UTC (rev 22339) +++ branches/krb5-1-7/src/include/k5-int.h 2009-05-11 20:56:53 UTC (rev 22340) @@ -2644,10 +2644,10 @@ * in with the subkey needed to decrypt the TGS * response. Otherwise it will be set to null. */ -krb5_error_code krb5_decode_kdc_rep +krb5_error_code krb5int_decode_tgs_rep (krb5_context, krb5_data *, - const krb5_keyblock *, + const krb5_keyblock *, krb5_keyusage, krb5_kdc_rep ** ); krb5_error_code krb5int_find_authdata (krb5_context context, krb5_authdata *const * ticket_authdata, Modified: branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c 2009-05-11 20:56:50 UTC (rev 22339) +++ branches/krb5-1-7/src/lib/krb5/krb/decode_kdc.c 2009-05-11 20:56:53 UTC (rev 22340) @@ -43,17 +43,15 @@ */ krb5_error_code -krb5_decode_kdc_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, krb5_kdc_rep **dec_rep) +krb5int_decode_tgs_rep(krb5_context context, krb5_data *enc_rep, const krb5_keyblock *key, + krb5_keyusage usage, krb5_kdc_rep **dec_rep) { krb5_error_code retval; krb5_kdc_rep *local_dec_rep; - krb5_keyusage usage; if (krb5_is_as_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_AS_REP_ENCPART; retval = decode_krb5_as_rep(enc_rep, &local_dec_rep); } else if (krb5_is_tgs_rep(enc_rep)) { - usage = KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY; retval = decode_krb5_tgs_rep(enc_rep, &local_dec_rep); } else { return KRB5KRB_AP_ERR_MSG_TYPE; Modified: branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 20:56:50 UTC (rev 22339) +++ branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c 2009-05-11 20:56:53 UTC (rev 22340) @@ -290,9 +290,17 @@ goto error_4; } - if ((retval = krb5_decode_kdc_rep(context, &tgsrep.response, - subkey, &dec_rep))) - goto error_4; + /* Unfortunately, Heimdal at least up through 1.2 encrypts using + the session key not the subsession key. So we try both. */ + if ((retval = krb5int_decode_tgs_rep(context, &tgsrep.response, + subkey, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY, &dec_rep))) { + if ((krb5int_decode_tgs_rep(context, &tgsrep.response, + &tkt->keyblock, + KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY, &dec_rep)) == 0) + retval = 0; + else goto error_4; + } if (dec_rep->msg_type != KRB5_TGS_REP) { retval = KRB5KRB_AP_ERR_MSG_TYPE; Modified: branches/krb5-1-7/src/lib/krb5/libkrb5.exports =================================================================== --- branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-05-11 20:56:50 UTC (rev 22339) +++ branches/krb5-1-7/src/lib/krb5/libkrb5.exports 2009-05-11 20:56:53 UTC (rev 22340) @@ -185,7 +185,6 @@ krb5_create_secure_file krb5_crypto_us_timeofday krb5_decode_authdata_container -krb5_decode_kdc_rep krb5_decode_ticket krb5_decrypt_tkt_part krb5_default_pwd_prompt1 From tlyu at MIT.EDU Mon May 11 16:56:50 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:50 -0400 Subject: svn rev #22339: branches/krb5-1-7/src/kadmin/ cli/ ktutil/ Message-ID: <200905112056.n4BKuon6027325@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22339 Commit By: tlyu Log Message: ticket: 6483 version_fixed: 1.7 pull up r22324 from trunk ------------------------------------------------------------------------ r22324 | hartmans | 2009-05-07 16:35:19 -0400 (Thu, 07 May 2009) | 8 lines Changed paths: M /trunk/src/kadmin/cli/k5srvutil.M M /trunk/src/kadmin/cli/kadmin.M M /trunk/src/kadmin/cli/kadmin.local.M M /trunk/src/kadmin/ktutil/ktutil.M ticket: 6483 Subject: man1 in title header for man1 manpages Target_Version: 1.7 Tags: pullup A previous ticket moved kadmin, kadmin.local, ktutil and k5srvutil man pages to man1 from man8. This updates the section within the man page. Changed Files: U branches/krb5-1-7/src/kadmin/cli/k5srvutil.M U branches/krb5-1-7/src/kadmin/cli/kadmin.M U branches/krb5-1-7/src/kadmin/cli/kadmin.local.M U branches/krb5-1-7/src/kadmin/ktutil/ktutil.M Modified: branches/krb5-1-7/src/kadmin/cli/k5srvutil.M =================================================================== --- branches/krb5-1-7/src/kadmin/cli/k5srvutil.M 2009-05-11 20:56:33 UTC (rev 22338) +++ branches/krb5-1-7/src/kadmin/cli/k5srvutil.M 2009-05-11 20:56:50 UTC (rev 22339) @@ -1,6 +1,6 @@ .\" Copyright 1989, 2003 by the Massachusetts Institute of Technology. .\" -.TH K5SRVUTIL 8 +.TH K5SRVUTIL 1 .SH NAME k5srvutil \- host key table (keytab) manipulation utility .SH SYNOPSIS Modified: branches/krb5-1-7/src/kadmin/cli/kadmin.M =================================================================== --- branches/krb5-1-7/src/kadmin/cli/kadmin.M 2009-05-11 20:56:33 UTC (rev 22338) +++ branches/krb5-1-7/src/kadmin/cli/kadmin.M 2009-05-11 20:56:50 UTC (rev 22339) @@ -1,4 +1,4 @@ -.TH KADMIN 8 +.TH KADMIN 1 .SH NAME kadmin \- Kerberos V5 database administration program .SH SYNOPSYS Modified: branches/krb5-1-7/src/kadmin/cli/kadmin.local.M =================================================================== --- branches/krb5-1-7/src/kadmin/cli/kadmin.local.M 2009-05-11 20:56:33 UTC (rev 22338) +++ branches/krb5-1-7/src/kadmin/cli/kadmin.local.M 2009-05-11 20:56:50 UTC (rev 22339) @@ -1 +1 @@ -.so man8/kadmin.8 +.so man1/kadmin.1 Modified: branches/krb5-1-7/src/kadmin/ktutil/ktutil.M =================================================================== --- branches/krb5-1-7/src/kadmin/ktutil/ktutil.M 2009-05-11 20:56:33 UTC (rev 22338) +++ branches/krb5-1-7/src/kadmin/ktutil/ktutil.M 2009-05-11 20:56:50 UTC (rev 22339) @@ -1,4 +1,4 @@ -.TH KTUTIL 8 +.TH KTUTIL 1 .SH NAME ktutil \- Kerberos keytab file maintenance utility .SH SYNOPSIS From tlyu at MIT.EDU Mon May 11 16:56:56 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 16:56:56 -0400 Subject: svn rev #22341: branches/krb5-1-7/src/lib/crypto/ des/ Message-ID: <200905112056.n4BKuuWb027401@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22341 Commit By: tlyu Log Message: make depend Changed Files: U branches/krb5-1-7/src/lib/crypto/deps U branches/krb5-1-7/src/lib/crypto/des/deps Modified: branches/krb5-1-7/src/lib/crypto/deps =================================================================== --- branches/krb5-1-7/src/lib/crypto/deps 2009-05-11 20:56:53 UTC (rev 22340) +++ branches/krb5-1-7/src/lib/crypto/deps 2009-05-11 20:56:55 UTC (rev 22341) @@ -191,7 +191,7 @@ $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ $(srcdir)/aes/aes_s2k.h $(srcdir)/arcfour/arcfour.h \ - $(srcdir)/dk/dk.h $(srcdir)/enc_provider/enc_provider.h \ + $(srcdir)/des/des_int.h $(srcdir)/dk/dk.h $(srcdir)/enc_provider/enc_provider.h \ $(srcdir)/hash_provider/hash_provider.h $(srcdir)/old/old.h \ $(srcdir)/raw/raw.h etypes.c etypes.h hmac.so hmac.po $(OUTPRE)hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ Modified: branches/krb5-1-7/src/lib/crypto/des/deps =================================================================== --- branches/krb5-1-7/src/lib/crypto/des/deps 2009-05-11 20:56:53 UTC (rev 22340) +++ branches/krb5-1-7/src/lib/crypto/des/deps 2009-05-11 20:56:55 UTC (rev 22341) @@ -42,6 +42,16 @@ $(SRCTOP)/include/krb5.h $(SRCTOP)/include/krb5/locate_plugin.h \ $(SRCTOP)/include/krb5/preauth_plugin.h $(SRCTOP)/include/port-sockets.h \ $(SRCTOP)/include/socket-utils.h d3_kysched.c des_int.h +des_prf.so des_prf.po $(OUTPRE)des_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ + $(SRCTOP)/include/k5-err.h $(SRCTOP)/include/k5-gmt_mktime.h \ + $(SRCTOP)/include/k5-int-pkinit.h $(SRCTOP)/include/k5-int.h \ + $(SRCTOP)/include/k5-platform.h $(SRCTOP)/include/k5-plugin.h \ + $(SRCTOP)/include/k5-thread.h $(SRCTOP)/include/krb5.h \ + $(SRCTOP)/include/krb5/locate_plugin.h $(SRCTOP)/include/krb5/preauth_plugin.h \ + $(SRCTOP)/include/port-sockets.h $(SRCTOP)/include/socket-utils.h \ + $(srcdir)/../hash_provider/hash_provider.h des_prf.c f_aead.so f_aead.po $(OUTPRE)f_aead.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(SRCTOP)/include/k5-buf.h \ From tlyu at MIT.EDU Mon May 11 18:11:31 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 11 May 2009 18:11:31 -0400 Subject: svn rev #22342: branches/krb5-1-7/doc/ Message-ID: <200905112211.n4BMBVms032465@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22342 Commit By: tlyu Log Message: ticket: 6485 tags: pullup target_version: 1.7 version_fixed: 1.7 subject: document ok_as_delegate in admin.texinfo pull up r2293, r22304 from trunk ------------------------------------------------------------------------ r22304 | ghudson | 2009-05-03 14:47:27 -0400 (Sun, 03 May 2009) | 2 lines Changed paths: M /trunk/doc/admin.texinfo Fix formatting of ok_as_delegate documentation in admin guide. ------------------------------------------------------------------------ r22293 | ghudson | 2009-04-30 11:08:50 -0400 (Thu, 30 Apr 2009) | 2 lines Changed paths: M /trunk/doc/admin.texinfo Document ok_as_delegate in the admin guide. Changed Files: U branches/krb5-1-7/doc/admin.texinfo Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-05-11 20:56:55 UTC (rev 22341) +++ branches/krb5-1-7/doc/admin.texinfo 2009-05-11 22:11:30 UTC (rev 22342) @@ -2274,6 +2274,14 @@ ``+password_changing_service'' option sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database. + at item @{-|+@}ok_as_delegate +The ``+ok_as_delegate'' option sets a flag in tickets issued for the +service principal. Some client programs may recognize this flag as +indicating that it is okay to delegate credentials to the service. If +ok_as_delegate is set on a cross-realm TGT, it indicates that the +foreign realm's ok_as_delegate flags should be honored by clients in +the local realm. The default is ``-ok_as_delegate''. + @item -randkey Sets the key for the principal to a random value (@code{add_principal} only). @value{COMPANY} recommends using this option for host keys. @@ -3101,6 +3109,13 @@ @samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears this flag. + at itemx @{-|+@}ok_as_delegate + at code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use +with this principal as the service, which clients may use as a hint that +credentials can and should be delegated when authenticating to the service. +(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears +this flag. + @itemx @{-|+@}allow_svr @code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag. From ghudson at MIT.EDU Mon May 11 18:46:56 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 11 May 2009 18:46:56 -0400 Subject: svn rev #22343: trunk/src/lib/krb5/krb/ Message-ID: <200905112246.n4BMkuPb002202@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22343 Commit By: ghudson Log Message: ticket: 6200 status: open In recvauth_common, convert a use of strcpy to strdup. Changed Files: U trunk/src/lib/krb5/krb/recvauth.c Modified: trunk/src/lib/krb5/krb/recvauth.c =================================================================== --- trunk/src/lib/krb5/krb/recvauth.c 2009-05-11 22:11:30 UTC (rev 22342) +++ trunk/src/lib/krb5/krb/recvauth.c 2009-05-11 22:46:56 UTC (rev 22343) @@ -173,11 +173,11 @@ error.error = KRB_ERR_GENERIC; message = error_message(problem); error.text.length = strlen(message) + 1; - if (!(error.text.data = malloc(error.text.length))) { + error.text.data = strdup(message); + if (!error.text.data) { retval = ENOMEM; goto cleanup; } - strcpy(error.text.data, message); if ((retval = krb5_mk_error(context, &error, &outbuf))) { free(error.text.data); goto cleanup; From raeburn at MIT.EDU Mon May 11 19:34:57 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 11 May 2009 19:34:57 -0400 Subject: svn rev #22344: trunk/src/lib/krb5/unicode/ure/ Message-ID: <200905112334.n4BNYv8O005425@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22344 Commit By: raeburn Log Message: reduce character-class table entry size (40%) based on limited data ranges; make table const Changed Files: U trunk/src/lib/krb5/unicode/ure/ure.c Modified: trunk/src/lib/krb5/unicode/ure/ure.c =================================================================== --- trunk/src/lib/krb5/unicode/ure/ure.c 2009-05-11 22:46:56 UTC (rev 22343) +++ trunk/src/lib/krb5/unicode/ure/ure.c 2009-05-11 23:34:56 UTC (rev 22344) @@ -547,8 +547,8 @@ typedef struct { ucs2_t key; - unsigned long len; - unsigned long next; + unsigned int len : 8; + unsigned int next : 8; _ure_cclsetup_t func; unsigned long mask; } _ure_trie_t; @@ -600,7 +600,7 @@ _ure_add_range(&sym->sym.ccl, &range, b); } -static _ure_trie_t cclass_trie[] = { +static const _ure_trie_t cclass_trie[] = { {0x003a, 1, 1, 0, 0}, {0x0061, 9, 10, 0, 0}, {0x0063, 8, 19, 0, 0}, @@ -678,7 +678,7 @@ { int i; unsigned long n; - _ure_trie_t *tp; + const _ure_trie_t *tp; ucs2_t *sp, *ep; /* From tlyu at MIT.EDU Tue May 12 19:13:58 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 12 May 2009 19:13:58 -0400 Subject: svn rev #22345: branches/krb5-1-7/ src/ Message-ID: <200905122313.n4CNDwbS000590@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22345 Commit By: tlyu Log Message: README and patchlevel for krb5-1.7-beta2 Changed Files: U branches/krb5-1-7/README U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/README =================================================================== --- branches/krb5-1-7/README 2009-05-11 23:34:56 UTC (rev 22344) +++ branches/krb5-1-7/README 2009-05-12 23:13:57 UTC (rev 22345) @@ -66,7 +66,8 @@ krb5-1.7 release will contain measures to encourage sites to migrate away from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, but will default -to "false" in the future. +to "false" in the future. Additional migration aids are planned for +future releases. Major changes in 1.7 -------------------- @@ -101,6 +102,7 @@ NTLM implementation. * KDC support for principal aliases, if the back end supports them. + Currently, only the LDAP back end supports aliases. * Microsoft set/change password (RFC 3244) protocol in kadmind. @@ -111,11 +113,9 @@ * Flexible Authentication Secure Tunneling (FAST), a preauthentiation framework that can protect the AS exchange from dictionary attack. -* Implement client support for GSS_C_DELEG_POLICY_FLAG, which allows a - GSS application to delegate credentials only if permitted by KDC - policy. One minor known bug, which will probably be fixed by final - release, occurs when this functionality is used with cross-realm - authentication; see RT ticket #6473. +* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which + allows a GSS application to request credential delegation only if + permitted by KDC policy. * Fix CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847 -- various vulnerabilities in SPNEGO and ASN.1 code. @@ -123,7 +123,9 @@ Known bugs by ticket ID ----------------------- -6473 strip ok-as-delegate if not in cross-realm TGT chain +6481 kdb ldap integration removed rev/recurse kdb5_util dumps +6486 t_pac fails on SPARC Solaris +6487 gss_unwrap_iov fails in stream mode Changes by ticket ID -------------------- @@ -173,12 +175,14 @@ 5575 don't include time.h in CredentialsCache.h if it's not needed 5578 test commit handler 5580 provide asprintf functionality for internal use +5587 PRF for non-AES enctypes 5589 krb5 trunk no longer builds on Windows - vsnprintf implementation required 5590 gss krb5 mech enhanced error messages 5593 kadmind crash on Debian AMD64 5594 Work on compiling CCAPI test suite on Windows 5595 Problems with kpasswd and an IPv6 enviroment +5596 patch for providing a way to set the ok-as-delegate flag 5598 ccs_pipe_t needs copy and release functions 5599 Added new autogenerated file to generate-files-mac target 5600 provide more useful error message when running kpropd on command line @@ -300,7 +304,7 @@ 6120 increase rpc timeout 6121 dead code in lib/rpc/clnt_udp.c 6131 Removed argument from kipc_client_lookup_server -6133 C90 compliance +6133 don't do C99-style mixing declarations with code 6138 Switch KfM back to error tables 6140 CCAPI should use common ipc and stream code 6142 KerberosAgent dialogs jump around the screen @@ -351,6 +355,7 @@ 6201 small leak in KDC authdata plugins 6202 kadmind leaks extended error strings 6203 DELEG_POLICY_FLAG for GSS +6210 pa_sam leaks parts of krb5_sam_challenge 6211 pam_sam leaking outer krb5_data created by encode_krb5_sam_response 6214 krb5_change_set_password not freeing chpw_rep contents 6216 Free data in tests so leaks checking is easier @@ -437,7 +442,8 @@ 6393 Implement TGS authenticator subkey support 6397 use macros for config parameter strings 6398 remove obsolete GNU.ORG realm info -6400 [no subject] +6400 GSSAPI authdata extraction should merge ticket and + authenticator authdata 6401 send_as_req re-encodes the request 6402 CVE-2009-0845 SPNEGO can dereference a null pointer 6403 kdb5_ldap_util create segfaults when @@ -488,7 +494,18 @@ 6468 k5_utf8s_to_ucs2s could deref NULL pointer... 6469 fcc_generate_new destroys locked mutex on error 6470 Send explicit salt for SALTTYPE_NORMAL keys +6472 typo in ksu error message +6473 strip ok-as-delegate if not in cross-realm TGT chain 6474 move kadmin, ktutil, k5srvutil man pages to man1 +6475 Adding keys to malformed keytabs can infinitely extend the file +6477 make installed headers C++-safe +6478 Fix handling of RET_SEQUENCE flag in mk_priv/mk_ncred +6479 Add DEBUG_ERROR_LOCATIONS support +6480 Do not return PREAUTH_FAILED on unknown preauth +6482 Allow more than 10 past keys to be stored by a policy +6483 man1 in title header for man1 manpages +6484 work around Heimdal not using subkey in TGS-REP +6485 document ok_as_delegate in admin.texinfo Copyright and Other Legal Notices --------------------------------- Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-05-11 23:34:56 UTC (rev 22344) +++ branches/krb5-1-7/src/patchlevel.h 2009-05-12 23:13:57 UTC (rev 22345) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta1-postrelease" +#define KRB5_RELTAIL "beta2" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "branches/krb5-1-7" +#define KRB5_RELTAG "tags/krb5-1-7-beta2" From tlyu at MIT.EDU Tue May 12 19:14:40 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 12 May 2009 19:14:40 -0400 Subject: svn rev #22346: tags/ Message-ID: <200905122314.n4CNEewK000656@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22346 Commit By: tlyu Log Message: tag krb5-1.7-beta1 Changed Files: A tags/krb5-1-7-beta2/ Copied: tags/krb5-1-7-beta2 (from rev 22345, branches/krb5-1-7) From tlyu at MIT.EDU Tue May 12 19:15:33 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 12 May 2009 19:15:33 -0400 Subject: svn rev #22347: branches/krb5-1-7/src/ Message-ID: <200905122315.n4CNFX2U000790@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22347 Commit By: tlyu Log Message: krb5-1.7-beta2-postrelease Changed Files: U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-05-12 23:14:39 UTC (rev 22346) +++ branches/krb5-1-7/src/patchlevel.h 2009-05-12 23:15:32 UTC (rev 22347) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta2" +#define KRB5_RELTAIL "beta2-postrelease" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "tags/krb5-1-7-beta2" +#define KRB5_RELTAG "branches/krb5-1-7" From tlyu at MIT.EDU Wed May 13 16:41:38 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Wed, 13 May 2009 16:41:38 -0400 Subject: svn rev #22348: trunk/src/util/support/ Message-ID: <200905132041.n4DKfcAB019208@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22348 Commit By: tlyu Log Message: ticket: 6486 tags: pullup target_version: 1.7 In util/support/utf8_conv.c, the SWAP16 macro is invoked with an argument that has side effects. On platforms where SWAP16 can evaluate its argument twice (including platforms where utf8_conv.c creates a fallback definition for the SWAP16 macro), this can cause a read overrun by a factor of two. Rearrange the data flow to avoid calling SWAP16 with an argument that has side effects. Changed Files: U trunk/src/util/support/utf8_conv.c Modified: trunk/src/util/support/utf8_conv.c =================================================================== --- trunk/src/util/support/utf8_conv.c 2009-05-12 23:15:32 UTC (rev 22347) +++ trunk/src/util/support/utf8_conv.c 2009-05-13 20:41:37 UTC (rev 22348) @@ -268,12 +268,11 @@ { while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) { /* Get UTF-8 size of next wide char */ + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, NULL); if (n < 1) @@ -290,12 +289,11 @@ n = 1; /* In case of empty ucs2str */ while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) { + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, p); From raeburn at MIT.EDU Wed May 13 21:18:44 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Wed, 13 May 2009 21:18:44 -0400 Subject: svn rev #22349: trunk/src/lib/krb5/os/ Message-ID: <200905140118.n4E1Iilj005509@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22349 Commit By: raeburn Log Message: remove some old code for debugging the debugging code Changed Files: U trunk/src/lib/krb5/os/sendto_kdc.c Modified: trunk/src/lib/krb5/os/sendto_kdc.c =================================================================== --- trunk/src/lib/krb5/os/sendto_kdc.c 2009-05-13 20:41:37 UTC (rev 22348) +++ trunk/src/lib/krb5/os/sendto_kdc.c 2009-05-14 01:18:43 UTC (rev 22349) @@ -133,13 +133,6 @@ if (*fmt2 == '%') break; len = fmt2 - fmt; - if (0) { - FILE *f = fopen("/dev/pts/0", "w+"); - if (f) { - fprintf(f, "krb5int_debug_fprint: format <%s> fmt2 <%s> put %lu next <%s>\n", - fmt, fmt2, (unsigned long) len, fmt+len-1); - } - } put(fmt, len); fmt += len - 1; /* then fmt++ in loop header */ continue; From ghudson at MIT.EDU Thu May 14 12:16:33 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 14 May 2009 12:16:33 -0400 Subject: svn rev #22350: trunk/src/ include/ lib/krb5/unicode/ util/support/ Message-ID: <200905141616.n4EGGXbR030233@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22350 Commit By: ghudson Log Message: ticket: 6489 subject: UCS2 support doesn't handle upper half of BMP tags: pullup target_version: 1.7 Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished values for ucs2 and ucs4 characters by changing the API of the single- character conversion routines. Changed Files: U trunk/src/include/k5-utf8.h U trunk/src/lib/krb5/unicode/ucstr.c U trunk/src/util/support/utf8.c Modified: trunk/src/include/k5-utf8.h =================================================================== --- trunk/src/include/k5-utf8.h 2009-05-14 01:18:43 UTC (rev 22349) +++ trunk/src/include/k5-utf8.h 2009-05-14 16:16:32 UTC (rev 22350) @@ -84,9 +84,9 @@ #endif #if INT_MAX == 0x7fff -typedef int krb5_ucs2; +typedef unsigned int krb5_ucs2; #elif SHRT_MAX == 0x7fff -typedef short krb5_ucs2; +typedef unsigned short krb5_ucs2; #else #error undefined 16 bit type #endif @@ -101,15 +101,12 @@ #error: undefined 32 bit type #endif -#define KRB5_UCS2_INVALID ((krb5_ucs2)0x8000) -#define KRB5_UCS4_INVALID ((krb5_ucs4)0x80000000) - #define KRB5_MAX_UTF8_LEN (sizeof(krb5_ucs2) * 3/2) -krb5_ucs2 krb5int_utf8_to_ucs2(const char *p); +int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out); size_t krb5int_ucs2_to_utf8(krb5_ucs2 c, char *buf); -krb5_ucs4 krb5int_utf8_to_ucs4(const char *p); +int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out); size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf); int Modified: trunk/src/lib/krb5/unicode/ucstr.c =================================================================== --- trunk/src/lib/krb5/unicode/ucstr.c 2009-05-14 01:18:43 UTC (rev 22349) +++ trunk/src/lib/krb5/unicode/ucstr.c 2009-05-14 16:16:32 UTC (rev 22350) @@ -397,8 +397,7 @@ /* convert and normalize 1st string */ for (i = 0, ulen = 0; i < l1; i += len, ulen++) { - ucs[ulen] = krb5int_utf8_to_ucs4(s1 + i); - if (ucs[ulen] == KRB5_UCS4_INVALID) { + if (krb5int_utf8_to_ucs4(s1 + i, &ucs[ulen]) == -1) { free(ucs); return -1; /* what to do??? */ } @@ -420,8 +419,7 @@ /* convert and normalize 2nd string */ for (i = 0, ulen = 0; i < l2; i += len, ulen++) { - ucs[ulen] = krb5int_utf8_to_ucs4(s2 + i); - if (ucs[ulen] == KRB5_UCS4_INVALID) { + if (krb5int_utf8_to_ucs4(s2 + i, &ucs[ulen]) == -1) { free(ucsout1); free(ucs); return 1; /* what to do??? */ Modified: trunk/src/util/support/utf8.c =================================================================== --- trunk/src/util/support/utf8.c 2009-05-14 01:18:43 UTC (rev 22349) +++ trunk/src/util/support/utf8.c 2009-05-14 16:16:32 UTC (rev 22350) @@ -159,7 +159,11 @@ return i; } -krb5_ucs4 krb5int_utf8_to_ucs4(const char *p) +/* + * Convert a UTF8 character to a UCS4 character. Return 0 on success, + * -1 on failure. + */ +int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out) { const unsigned char *c = (const unsigned char *) p; krb5_ucs4 ch; @@ -167,33 +171,35 @@ static unsigned char mask[] = { 0, 0x7f, 0x1f, 0x0f, 0x07, 0x03, 0x01 }; + *out = 0; len = KRB5_UTF8_CHARLEN2(p, len); if (len == 0) - return KRB5_UCS4_INVALID; + return -1; ch = c[0] & mask[len]; for (i = 1; i < len; i++) { - if ((c[i] & 0xc0) != 0x80) { - return KRB5_UCS4_INVALID; - } + if ((c[i] & 0xc0) != 0x80) + return -1; ch <<= 6; ch |= c[i] & 0x3f; } - return ch; + *out = ch; + return 0; } -krb5_ucs2 krb5int_utf8_to_ucs2(const char *p) +int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out) { - krb5_ucs4 ch = krb5int_utf8_to_ucs4(p); + krb5_ucs4 ch; - if (ch == KRB5_UCS4_INVALID || ch > SHRT_MAX) - return KRB5_UCS2_INVALID; - - return (krb5_ucs2)ch; + *out = 0; + if (krb5int_utf8_to_ucs4(p, &ch) == -1 || ch > 0xFFFF) + return -1; + *out = (krb5_ucs2) ch; + return 0; } /* conv UCS-2 to UTF-8, not used */ @@ -446,10 +452,13 @@ /* like strchr() */ char *krb5int_utf8_strchr(const char *str, const char *chr) { + krb5_ucs4 chs, ch; + + if (krb5int_utf8_to_ucs4(chr, &ch) == -1) + return NULL; for ( ; *str != '\0'; KRB5_UTF8_INCR(str)) { - if (krb5int_utf8_to_ucs4(str) == krb5int_utf8_to_ucs4(chr)) { + if (krb5int_utf8_to_ucs4(str, &chs) == 0 && chs == ch) return (char *)str; - } } return NULL; @@ -458,14 +467,14 @@ /* like strcspn() but returns number of bytes, not characters */ size_t krb5int_utf8_strcspn(const char *str, const char *set) { - const char *cstr; - const char *cset; + const char *cstr, *cset; + krb5_ucs4 chstr, chset; for (cstr = str; *cstr != '\0'; KRB5_UTF8_INCR(cstr)) { for (cset = set; *cset != '\0'; KRB5_UTF8_INCR(cset)) { - if (krb5int_utf8_to_ucs4(cstr) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(cstr, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) return cstr - str; - } } } @@ -475,18 +484,16 @@ /* like strspn() but returns number of bytes, not characters */ size_t krb5int_utf8_strspn(const char *str, const char *set) { - const char *cstr; - const char *cset; + const char *cstr, *cset; + krb5_ucs4 chstr, chset; for (cstr = str; *cstr != '\0'; KRB5_UTF8_INCR(cstr)) { for (cset = set; ; KRB5_UTF8_INCR(cset)) { - if (*cset == '\0') { + if (*cset == '\0') return cstr - str; - } - - if (krb5int_utf8_to_ucs4(cstr) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(cstr, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) break; - } } } @@ -496,13 +503,14 @@ /* like strpbrk(), replaces strchr() as well */ char *krb5int_utf8_strpbrk(const char *str, const char *set) { + const char *cset; + krb5_ucs4 chstr, chset; + for ( ; *str != '\0'; KRB5_UTF8_INCR(str)) { - const char *cset; - for (cset = set; *cset != '\0'; KRB5_UTF8_INCR(cset)) { - if (krb5int_utf8_to_ucs4(str) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(str, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) return (char *)str; - } } } From ghudson at MIT.EDU Thu May 14 12:50:52 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Thu, 14 May 2009 12:50:52 -0400 Subject: svn rev #22351: trunk/src/lib/gssapi/krb5/ Message-ID: <200905141650.n4EGoqJq032542@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22351 Commit By: ghudson Log Message: ticket: 6488 status: open tags: pullup target_version: 1.7 gss_krb5int_export_lucid_sec_context was erroneously copying the first sizeof(void *) bytes of the context into data_set, instead of the pointer to the context. Changed Files: U trunk/src/lib/gssapi/krb5/lucid_context.c Modified: trunk/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- trunk/src/lib/gssapi/krb5/lucid_context.c 2009-05-14 16:16:32 UTC (rev 22350) +++ trunk/src/lib/gssapi/krb5/lucid_context.c 2009-05-14 16:50:52 UTC (rev 22351) @@ -107,7 +107,7 @@ goto error_out; } - rep.value = lctx; + rep.value = &lctx; rep.length = sizeof(lctx); retval = generic_gss_add_buffer_set_member(minor_status, &rep, data_set); From tlyu at MIT.EDU Thu May 14 17:04:57 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Thu, 14 May 2009 17:04:57 -0400 Subject: svn rev #22352: trunk/src/lib/gssapi/krb5/ Message-ID: <200905142104.n4EL4v6w019719@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22352 Commit By: tlyu Log Message: ticket: 6487 status: open Add IOV_SHIM_EXERCISE_WRAP and IOV_SHIM_EXERCISE_UNWRAP conditionals to allow finer-grained testing. Changed Files: U trunk/src/lib/gssapi/krb5/gssapi_krb5.c Modified: trunk/src/lib/gssapi/krb5/gssapi_krb5.c =================================================================== --- trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-05-14 16:50:52 UTC (rev 22351) +++ trunk/src/lib/gssapi/krb5/gssapi_krb5.c 2009-05-14 21:04:57 UTC (rev 22352) @@ -640,11 +640,14 @@ krb5_gss_context_time, krb5_gss_get_mic, krb5_gss_verify_mic, -#ifdef IOV_SHIM_EXERCISE +#if defined(IOV_SHIM_EXERCISE_WRAP) || defined(IOV_SHIM_EXERCISE) NULL, +#else + krb5_gss_wrap, +#endif +#if defined(IOV_SHIM_EXERCISE_UNWRAP) || defined(IOV_SHIM_EXERCISE) NULL, #else - krb5_gss_wrap, krb5_gss_unwrap, #endif krb5_gss_display_status, From hartmans at MIT.EDU Mon May 18 15:08:30 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 18 May 2009 15:08:30 -0400 Subject: svn rev #22353: trunk/src/lib/gssapi/krb5/ Message-ID: <200905181908.n4IJ8Usi002348@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22353 Commit By: hartmans Log Message: Document use of key fields in GSS context The addition of etype negotiation has made the meanings of the various keys in the GSS-API context structure more complicated. Document them to aid in code understanding. Changed Files: U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h Modified: trunk/src/lib/gssapi/krb5/gssapiP_krb5.h =================================================================== --- trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-05-14 21:04:57 UTC (rev 22352) +++ trunk/src/lib/gssapi/krb5/gssapiP_krb5.h 2009-05-18 19:08:29 UTC (rev 22353) @@ -185,12 +185,15 @@ unsigned char seed[16]; krb5_principal here; krb5_principal there; - krb5_keyblock *subkey; + krb5_keyblock *subkey; /*One of two potential keys to use with RFC + * 4121 packets; this key must always be set.*/ int signalg; size_t cksum_size; int sealalg; - krb5_keyblock *enc; - krb5_keyblock *seq; + krb5_keyblock *enc; /*RFC 1964 encryption key;seq xored with a + * constant for DES, + * seq for other RFC 1964 enctypes */ + krb5_keyblock *seq; /*RFC 1964 sequencing key*/ krb5_ticket_times krb_times; krb5_flags krb_flags; /* XXX these used to be signed. the old spec is inspecific, and @@ -202,10 +205,12 @@ krb5_context k5_context; krb5_auth_context auth_context; gss_OID_desc *mech_used; - /* Protocol spec revision + /* Protocol spec revision for sending packets 0 => RFC 1964 with 3DES and RC4 enhancements - 1 => draft-ietf-krb-wg-gssapi-cfx-01 - No others defined so far. */ + 1 => RFC 4121 + No others defined so far. It is always permitted to receive + tokens in RFC 4121 format. If enc is non-null, receiving RFC + 1964 tokens is permitted.*/ int proto; krb5_cksumtype cksumtype; /* for "main" subkey */ krb5_keyblock *acceptor_subkey; /* CFX only */ From hartmans at MIT.EDU Mon May 18 15:08:48 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 18 May 2009 15:08:48 -0400 Subject: svn rev #22354: trunk/src/lib/gssapi/krb5/ Message-ID: <200905181908.n4IJ8mmi002394@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22354 Commit By: hartmans Log Message: ticket: 6488 target_version: 1.7 tags: pullup Copy the sequence key rather than the subkey for lucid contexts in RFC 1964 mode, so that we map to raw des enctypes rather than say des-cbc-crc. Changed Files: U trunk/src/lib/gssapi/krb5/lucid_context.c Modified: trunk/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- trunk/src/lib/gssapi/krb5/lucid_context.c 2009-05-18 19:08:29 UTC (rev 22353) +++ trunk/src/lib/gssapi/krb5/lucid_context.c 2009-05-18 19:08:48 UTC (rev 22354) @@ -213,7 +213,7 @@ lctx->rfc1964_kd.sign_alg = gctx->signalg; lctx->rfc1964_kd.seal_alg = gctx->sealalg; /* Copy key */ - if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + if ((retval = copy_keyblock_to_lucid_key(gctx->seq, &lctx->rfc1964_kd.ctx_key))) goto error_out; } From hartmans at MIT.EDU Mon May 18 19:28:54 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Mon, 18 May 2009 19:28:54 -0400 Subject: svn rev #22355: trunk/src/lib/crypto/arcfour/ Message-ID: <200905182328.n4INSruS021355@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22355 Commit By: hartmans Log Message: ticket: 6490 status: open In practice, key usage 9 requires no translation. Changed Files: U trunk/src/lib/crypto/arcfour/arcfour.c Modified: trunk/src/lib/crypto/arcfour/arcfour.c =================================================================== --- trunk/src/lib/crypto/arcfour/arcfour.c 2009-05-18 19:08:48 UTC (rev 22354) +++ trunk/src/lib/crypto/arcfour/arcfour.c 2009-05-18 23:28:53 UTC (rev 22355) @@ -47,7 +47,7 @@ case 8: return 8; case 9: /* tgs-rep encrypted with subkey */ - return 8; + return 9; case 10: /* ap-rep authentication cksum */ return 10; /* xxx Microsoft never uses this*/ case 11: /* app-req authenticator */ From ghudson at MIT.EDU Tue May 19 19:17:50 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 19 May 2009 19:17:50 -0400 Subject: svn rev #22356: trunk/src/lib/krb5/krb/ Message-ID: <200905192317.n4JNHoh9026049@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22356 Commit By: ghudson Log Message: ticket: 6490 status: open tags: pullup When using keyed checksum types with TGS subkeys, Microsoft AD 2003 verifies the checksum using the subkey, whereas MIT and Heimdal verify it using the TGS session key. (RFC 4120 is actually silent on which is correct; RFC 4757 specifies the TGS session key.) To sidestep this interop issue, don't use keyed checksum types with RC4 keys without explicit configuration in krb5.conf. Using keyed checksum types with AES is fine since, experimentally, AD 2008 accepts checksums keyed with the TGS session key. Changed Files: U trunk/src/lib/krb5/krb/send_tgs.c Modified: trunk/src/lib/krb5/krb/send_tgs.c =================================================================== --- trunk/src/lib/krb5/krb/send_tgs.c 2009-05-18 23:28:53 UTC (rev 22355) +++ trunk/src/lib/krb5/krb/send_tgs.c 2009-05-19 23:17:49 UTC (rev 22356) @@ -68,6 +68,8 @@ case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: cksumtype = context->kdc_req_sumtype; break; default: From ghudson at MIT.EDU Tue May 19 22:05:53 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Tue, 19 May 2009 22:05:53 -0400 Subject: svn rev #22357: trunk/src/lib/crypto/ arcfour/ Message-ID: <200905200205.n4K25rH6005512@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22357 Commit By: ghudson Log Message: ticket: 6490 Restore compatibility with KDCs using key usage 8 to encrypt TGS replies in a subkey, by implementing a fallback in krb5_arcfour_decrypt. Changed Files: U trunk/src/lib/crypto/arcfour/arcfour.c U trunk/src/lib/crypto/t_encrypt.c Modified: trunk/src/lib/crypto/arcfour/arcfour.c =================================================================== --- trunk/src/lib/crypto/arcfour/arcfour.c 2009-05-19 23:17:49 UTC (rev 22356) +++ trunk/src/lib/crypto/arcfour/arcfour.c 2009-05-20 02:05:53 UTC (rev 22357) @@ -252,41 +252,58 @@ checksum.length=hashsize; checksum.data=input->data; - /* compute the salt */ ms_usage=krb5int_arcfour_translate_usage(usage); - if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { - strncpy(salt.data, krb5int_arcfour_l40, salt.length); - store_32_le(ms_usage, salt.data+10); - } else { - salt.length=4; - store_32_le(ms_usage, salt.data); - } - ret=krb5_hmac(hash, key, 1, &salt, &d1); - if (ret) - goto cleanup; - memcpy(k2.contents, k1.contents, k2.length); + /* We may have to try two ms_usage values; see below. */ + do { + /* compute the salt */ + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, salt.data + 10); + } else { + salt.length = 4; + store_32_le(ms_usage, salt.data); + } + ret = krb5_hmac(hash, key, 1, &salt, &d1); + if (ret) + goto cleanup; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) - memset(k1.contents+7, 0xab, 9); + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents + 7, 0xab, 9); - ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); - if (ret) - goto cleanup; + ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); + if (ret) + goto cleanup; - ret=(*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext); - if (ret) - goto cleanup; + ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext); + if (ret) + goto cleanup; - ret=krb5_hmac(hash, &k2, 1, &plaintext, &d1); - if (ret) - goto cleanup; + ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1); + if (ret) + goto cleanup; - if (memcmp(checksum.data, d1.data, hashsize) != 0) { - ret=KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } + if (memcmp(checksum.data, d1.data, hashsize) != 0) { + if (ms_usage == 9) { + /* + * RFC 4757 specifies usage 8 for TGS-REP encrypted + * parts encrypted in a subkey, but the value used by MS + * is actually 9. We now use 9 to start with, but fall + * back to 8 on failure in case we are communicating + * with a KDC using the value from the RFC. + */ + ms_usage = 8; + continue; + } + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto cleanup; + } + break; + } while (1); + memcpy(output->data, plaintext.data+CONFOUNDERLENGTH, (plaintext.length-CONFOUNDERLENGTH)); output->length=plaintext.length-CONFOUNDERLENGTH; Modified: trunk/src/lib/crypto/t_encrypt.c =================================================================== --- trunk/src/lib/crypto/t_encrypt.c 2009-05-19 23:17:49 UTC (rev 22356) +++ trunk/src/lib/crypto/t_encrypt.c 2009-05-20 02:05:53 UTC (rev 22357) @@ -47,14 +47,17 @@ 0 }; -#define test(msg, exp) \ -printf ("%s: . . . ", msg); \ -retval = (exp);\ -if( retval) { \ - printf( "Failed: %s\n", error_message(retval)); \ - abort(); \ -} else printf ("OK\n"); - +static void +test(const char *msg, krb5_error_code retval) +{ + printf("%s: . . . ", msg); + if (retval) { + printf("Failed: %s\n", error_message(retval)); + abort(); + } else + printf("OK\n"); +} + static int compare_results(krb5_data *d1, krb5_data *d2) { if (d1->length != d2->length) { @@ -186,6 +189,21 @@ krb5_free_keyblock (context, key); } + /* Test the RC4 decrypt fallback from key usage 9 to 8. */ + test ("Initializing an RC4 keyblock", + krb5_init_keyblock (context, ENCTYPE_ARCFOUR_HMAC, 0, &key)); + test ("Generating random RC4 key", + krb5_c_make_random_key (context, ENCTYPE_ARCFOUR_HMAC, key)); + enc_out.ciphertext = out; + krb5_c_encrypt_length (context, key->enctype, in.length, &len); + enc_out.ciphertext.length = len; + check.length = 2048; + test ("Encrypting with RC4 key usage 8", + krb5_c_encrypt (context, key, 8, 0, &in, &enc_out)); + test ("Decrypting with RC4 key usage 9", + krb5_c_decrypt (context, key, 9, 0, &enc_out, &check)); + test ("Comparing", compare_results (&in, &check)); + free(out.data); free(out2.data); free(check.data); From ghudson at MIT.EDU Wed May 20 13:44:38 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Wed, 20 May 2009 13:44:38 -0400 Subject: svn rev #22358: trunk/src/kdc/ Message-ID: <200905201744.n4KHicbo012791@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22358 Commit By: ghudson Log Message: Add a comment to the r22168 change since it's not obvious why we're decrypting authdata that way. Changed Files: U trunk/src/kdc/kdc_authdata.c Modified: trunk/src/kdc/kdc_authdata.c =================================================================== --- trunk/src/kdc/kdc_authdata.c 2009-05-20 02:05:53 UTC (rev 22357) +++ trunk/src/kdc/kdc_authdata.c 2009-05-20 17:44:37 UTC (rev 22358) @@ -398,6 +398,17 @@ if (scratch.data == NULL) return ENOMEM; + /* + * RFC 4120 requires authdata in the TGS body to be encrypted in + * the subkey with usage 5 if a subkey is present, and in the TGS + * session key with key usage 4 if it is not. Prior to krb5 1.7, + * we got this wrong, always decrypting the authorization data + * with the TGS session key and usage 4. For the sake of + * conservatism, try the decryption the old way (wrong if + * client_key is a subkey) first, and then try again the right way + * (in the case where client_key is a subkey) if the first way + * fails. + */ code = krb5_c_decrypt(context, enc_tkt_request->session, KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY, From hartmans at MIT.EDU Wed May 20 14:06:29 2009 From: hartmans at MIT.EDU (hartmans@MIT.EDU) Date: Wed, 20 May 2009 14:06:29 -0400 Subject: svn rev #22359: trunk/src/lib/crypto/ Message-ID: <200905201806.n4KI6TVh014450@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22359 Commit By: hartmans Log Message: Include regression test for krb-fx-cf2 for RC4 enctype. Changed Files: U trunk/src/lib/crypto/t_cf2.comments U trunk/src/lib/crypto/t_cf2.expected U trunk/src/lib/crypto/t_cf2.in Modified: trunk/src/lib/crypto/t_cf2.comments =================================================================== --- trunk/src/lib/crypto/t_cf2.comments 2009-05-20 17:44:37 UTC (rev 22358) +++ trunk/src/lib/crypto/t_cf2.comments 2009-05-20 18:06:29 UTC (rev 22359) @@ -3,3 +3,4 @@ The second test mirrors the following four tests in t_prf.in. The third and fourth tests are simple tests of the DES and 3DES PRF. +The fifth test is the same simple test for RC4. Modified: trunk/src/lib/crypto/t_cf2.expected =================================================================== --- trunk/src/lib/crypto/t_cf2.expected 2009-05-20 17:44:37 UTC (rev 22358) +++ trunk/src/lib/crypto/t_cf2.expected 2009-05-20 18:06:29 UTC (rev 22359) @@ -2,3 +2,4 @@ 4d6ca4e629785c1f01baf55e2e548566b9617ae3a96868c337cb93b5e72b1c7b 43bae3738c9467e6 e58f9eb643862c13ad38e529313462a7f73e62834fe54a01 +24d7f6b6bae4e5c00d2082c5ebab3672 Modified: trunk/src/lib/crypto/t_cf2.in =================================================================== --- trunk/src/lib/crypto/t_cf2.in 2009-05-20 17:44:37 UTC (rev 22358) +++ trunk/src/lib/crypto/t_cf2.in 2009-05-20 18:06:29 UTC (rev 22359) @@ -18,3 +18,8 @@ key2 a b +23 +key1 +key2 +a +b From ghudson at MIT.EDU Fri May 22 10:08:26 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 22 May 2009 10:08:26 -0400 Subject: svn rev #22360: trunk/src/kdc/ Message-ID: <200905221408.n4ME8QSN006132@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22360 Commit By: ghudson Log Message: ticket: 6492 subject: Remove spurious assertion in handle_authdata tags: pullup target_version: 1.7 In handle_authdata in the KDC, remove a spurious assertion (added in r21566 on the mskrb-integ branch) that authdata starts out empty. authdata can be legitimately added by check_padata, which precedes handle_authdata, and this happens with pkinit. Changed Files: U trunk/src/kdc/kdc_authdata.c Modified: trunk/src/kdc/kdc_authdata.c =================================================================== --- trunk/src/kdc/kdc_authdata.c 2009-05-20 18:06:29 UTC (rev 22359) +++ trunk/src/kdc/kdc_authdata.c 2009-05-22 14:08:25 UTC (rev 22360) @@ -585,7 +585,6 @@ krb5_error_code code = 0; int i; - assert(enc_tkt_reply->authorization_data == NULL); for (i = 0; i < n_authdata_systems; i++) { const krb5_authdata_systems *asys = &authdata_systems[i]; From raeburn at MIT.EDU Fri May 22 10:12:18 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 10:12:18 -0400 Subject: svn rev #22361: trunk/src/lib/gssapi/spnego/ Message-ID: <200905221412.n4MECIVK006497@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22361 Commit By: raeburn Log Message: fix minor syntax error Changed Files: U trunk/src/lib/gssapi/spnego/spnego_mech.c Modified: trunk/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-05-22 14:08:25 UTC (rev 22360) +++ trunk/src/lib/gssapi/spnego/spnego_mech.c 2009-05-22 14:12:17 UTC (rev 22361) @@ -283,7 +283,7 @@ MAKE_INIT_FUNCTION(gss_krb5int_lib_init); MAKE_FINI_FUNCTION(gss_krb5int_lib_fini); -int gss_krb5int_lib_init(void) +int gss_krb5int_lib_init(void); #endif /* _GSS_STATIC_LINK */ int gss_spnegoint_lib_init(void) From raeburn at MIT.EDU Fri May 22 10:31:28 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 10:31:28 -0400 Subject: svn rev #22362: trunk/src/lib/krb5/os/ Message-ID: <200905221431.n4MEVS4X007836@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22362 Commit By: raeburn Log Message: make prompt string vars point to const Changed Files: U trunk/src/lib/krb5/os/osconfig.c Modified: trunk/src/lib/krb5/os/osconfig.c =================================================================== --- trunk/src/lib/krb5/os/osconfig.c 2009-05-22 14:12:17 UTC (rev 22361) +++ trunk/src/lib/krb5/os/osconfig.c 2009-05-22 14:31:28 UTC (rev 22362) @@ -41,6 +41,6 @@ unsigned int krb5_skdc_timeout_shift = SKDC_TIMEOUT_SHIFT; unsigned int krb5_skdc_timeout_1 = SKDC_TIMEOUT_1; -char *krb5_default_pwd_prompt1 = DEFAULT_PWD_STRING1; -char *krb5_default_pwd_prompt2 = DEFAULT_PWD_STRING2; +const char *krb5_default_pwd_prompt1 = DEFAULT_PWD_STRING1; +const char *krb5_default_pwd_prompt2 = DEFAULT_PWD_STRING2; From raeburn at MIT.EDU Fri May 22 13:19:38 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 13:19:38 -0400 Subject: svn rev #22363: trunk/src/lib/krb5/krb/ Message-ID: <200905221719.n4MHJcVD019716@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22363 Commit By: raeburn Log Message: Use printf format attribute only with gcc. Changed Files: U trunk/src/lib/krb5/krb/t_pac.c U trunk/src/lib/krb5/krb/t_princ.c Modified: trunk/src/lib/krb5/krb/t_pac.c =================================================================== --- trunk/src/lib/krb5/krb/t_pac.c 2009-05-22 14:31:28 UTC (rev 22362) +++ trunk/src/lib/krb5/krb/t_pac.c 2009-05-22 17:19:37 UTC (rev 22363) @@ -96,8 +96,10 @@ static time_t authtime = 1120440609; static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; +#if !defined(__cplusplus) && (__GNUC__ > 2) static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) __attribute__((__format__(__printf__, 3, 0))); +#endif static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) Modified: trunk/src/lib/krb5/krb/t_princ.c =================================================================== --- trunk/src/lib/krb5/krb/t_princ.c 2009-05-22 14:31:28 UTC (rev 22362) +++ trunk/src/lib/krb5/krb/t_princ.c 2009-05-22 17:19:37 UTC (rev 22363) @@ -38,8 +38,10 @@ * there when it's destroyed. */ +#if !defined(__cplusplus) && (__GNUC__ > 2) static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) __attribute__((__format__(__printf__, 3, 0))); +#endif static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) From raeburn at MIT.EDU Fri May 22 13:20:15 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 13:20:15 -0400 Subject: svn rev #22364: trunk/src/lib/crypto/ Message-ID: <200905221720.n4MHKFvt019845@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22364 Commit By: raeburn Log Message: Use correct type for krb5_c_prf_length length arg. Changed Files: U trunk/src/lib/crypto/t_prf.c Modified: trunk/src/lib/crypto/t_prf.c =================================================================== --- trunk/src/lib/crypto/t_prf.c 2009-05-22 17:19:37 UTC (rev 22363) +++ trunk/src/lib/crypto/t_prf.c 2009-05-22 17:20:15 UTC (rev 22364) @@ -23,13 +23,14 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. * - * This file contains tests for the PRF code in Kerberos. IT reads - *an input file, and writes an output file. It is assumed that the - *output file will be diffed against expected output to see whether - *regression tests pass. The input file is a very primitive format. - *It includes an enctype and to be string2keyed followed by a number of bytes of input - *length, followed by that many bytes of input. The program outputs - *krb5_c_prf of that input and key as a hex string. + * This file contains tests for the PRF code in Kerberos. IT reads an + * input file, and writes an output file. It is assumed that the + * output file will be diffed against expected output to see whether + * regression tests pass. The input file is a very primitive format. + * It includes an enctype and password to be string2keyed followed by + * a number of bytes of input length, followed by that many bytes of + * input. The program outputs krb5_c_prf of that input and key as a + * hex string. */ #include "k5-int.h" @@ -39,7 +40,7 @@ krb5_data input, output; krb5_keyblock *key = NULL; unsigned int in_length; - unsigned int i; + size_t i; while (1) { krb5_enctype enctype; char s[1025]; From raeburn at MIT.EDU Fri May 22 13:22:07 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 13:22:07 -0400 Subject: svn rev #22365: trunk/src/ Message-ID: <200905221722.n4MHM7EO020037@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22365 Commit By: raeburn Log Message: Make Sun cc error out on unknown attributes. Changed Files: U trunk/src/aclocal.m4 Modified: trunk/src/aclocal.m4 =================================================================== --- trunk/src/aclocal.m4 2009-05-22 17:20:15 UTC (rev 22364) +++ trunk/src/aclocal.m4 2009-05-22 17:22:07 UTC (rev 22365) @@ -664,7 +664,7 @@ # works, but it also means that declaration-in-code warnings won't # be issued. # -v -fd -errwarn=E_DECLARATION_IN_CODE ... - WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED" + WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED" WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64" fi fi From raeburn at MIT.EDU Fri May 22 13:31:09 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Fri, 22 May 2009 13:31:09 -0400 Subject: svn rev #22366: trunk/src/lib/crypto/ Message-ID: <200905221731.n4MHV9tA020660@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22366 Commit By: raeburn Log Message: whitespace Changed Files: U trunk/src/lib/crypto/prf.c Modified: trunk/src/lib/crypto/prf.c =================================================================== --- trunk/src/lib/crypto/prf.c 2009-05-22 17:22:07 UTC (rev 22365) +++ trunk/src/lib/crypto/prf.c 2009-05-22 17:31:09 UTC (rev 22366) @@ -58,7 +58,7 @@ krb5_error_code KRB5_CALLCONV krb5_c_prf(krb5_context context, const krb5_keyblock *key, -krb5_data *input, krb5_data *output) + krb5_data *input, krb5_data *output) { int i; size_t len; @@ -78,9 +78,9 @@ if (!krb5_enctypes_list[i].prf) return (KRB5_CRYPTO_INTERNAL); krb5_c_prf_length (context, key->enctype, &len); - if( len != output->length) + if (len != output->length) return (KRB5_CRYPTO_INTERNAL); - return((*(krb5_enctypes_list[i].prf)) + return((*(krb5_enctypes_list[i].prf)) (krb5_enctypes_list[i].enc, krb5_enctypes_list[i].hash, key, input, output)); } From ghudson at MIT.EDU Fri May 22 20:09:58 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Fri, 22 May 2009 20:09:58 -0400 Subject: svn rev #22367: trunk/src/lib/krb5/keytab/ Message-ID: <200905230009.n4N09wps023292@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22367 Commit By: ghudson Log Message: In krb5_ktfileint_write_entry, add a no-op fseek in between reading EOF and writing the placeholder length field. Otherwise we can run into an apparent bug in the Solaris 10 stdio library which causes the next no-op fseek after the fwrite to fail with EINVAL. Changed Files: U trunk/src/lib/krb5/keytab/kt_file.c Modified: trunk/src/lib/krb5/keytab/kt_file.c =================================================================== --- trunk/src/lib/krb5/keytab/kt_file.c 2009-05-22 17:31:09 UTC (rev 22366) +++ trunk/src/lib/krb5/keytab/kt_file.c 2009-05-23 00:09:58 UTC (rev 22367) @@ -1659,6 +1659,9 @@ return errno; if (!fread(&size, sizeof(size), 1, fp)) { /* Hit the end of file, reserve this slot. */ + /* Necessary to avoid a later fseek failing on Solaris 10. */ + if (fseek(fp, 0, SEEK_CUR)) + return errno; /* htonl(0) is 0, so no need to worry about byte order */ size = 0; if (!fwrite(&size, sizeof(size), 1, fp)) From ghudson at MIT.EDU Sat May 23 20:48:32 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sat, 23 May 2009 20:48:32 -0400 Subject: svn rev #22368: trunk/src/lib/krb5/krb/ Message-ID: <200905240048.n4O0mWc3004766@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22368 Commit By: ghudson Log Message: ticket: 6495 subject: Fix test rules for non-gmake make versions target_version: 1.7 tags: pullup The build rules for the new t_ad_fx_armor and t_authdata test programs used $<, which is only portable for implicit rules (but is valid in gmake for all rules). Stop using $< in those rules so that "make check" works with System V make. Changed Files: U trunk/src/lib/krb5/krb/Makefile.in Modified: trunk/src/lib/krb5/krb/Makefile.in =================================================================== --- trunk/src/lib/krb5/krb/Makefile.in 2009-05-23 00:09:58 UTC (rev 22367) +++ trunk/src/lib/krb5/krb/Makefile.in 2009-05-24 00:48:31 UTC (rev 22368) @@ -319,10 +319,10 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) t_ad_fx_armor: t_ad_fx_armor.o - $(CC_LINK) -o $@ $< $(KRB5_BASE_LIBS) + $(CC_LINK) -o $@ t_ad_fx_armor.o $(KRB5_BASE_LIBS) t_authdata: t_authdata.o copy_auth.o - $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) + $(CC_LINK) -o $@ t_authdata.o copy_auth.o $(KRB5_BASE_LIBS) t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS) From ghudson at MIT.EDU Sun May 24 11:53:51 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Sun, 24 May 2009 11:53:51 -0400 Subject: svn rev #22369: trunk/src/kdc/ Message-ID: <200905241553.n4OFrptP021036@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22369 Commit By: ghudson Log Message: ticket: 6496 subject: Fix vector initialization error in KDC preauth code target_version: 1.7 tags: pullup In the KDC, get_preauth_hint_list had two bugs initializing the preauth array. It was allocating 21 extra entries instead of two due to a typo (harmless), and it was only zeroing up through one extra entry (harmful). Adjust the code to use calloc to avoid further disagreements of this nature. Changed Files: U trunk/src/kdc/kdc_preauth.c Modified: trunk/src/kdc/kdc_preauth.c =================================================================== --- trunk/src/kdc/kdc_preauth.c 2009-05-24 00:48:31 UTC (rev 22368) +++ trunk/src/kdc/kdc_preauth.c 2009-05-24 15:53:51 UTC (rev 22369) @@ -972,11 +972,10 @@ e_data->data = 0; hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); - /* Allocate 1 entry for the terminator and one for the cookie*/ - pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+21)); + /* Allocate two extra entries for the cookie and the terminator. */ + pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *)); if (pa_data == 0) return; - memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); pa = pa_data; for (ap = preauth_systems; ap->type != -1; ap++) { From raeburn at MIT.EDU Sun May 24 15:58:47 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sun, 24 May 2009 15:58:47 -0400 Subject: svn rev #22370: trunk/src/ Message-ID: <200905241958.n4OJwlIe005795@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22370 Commit By: raeburn Log Message: If --enable-pkinit is explicitly given, and OpenSSL is too old, error out instead of ignoring the option and disabling pkinit. Changed Files: U trunk/src/configure.in Modified: trunk/src/configure.in =================================================================== --- trunk/src/configure.in 2009-05-24 15:53:51 UTC (rev 22369) +++ trunk/src/configure.in 2009-05-24 19:58:47 UTC (rev 22370) @@ -884,8 +884,8 @@ dnl for pkinit AC_ARG_ENABLE([pkinit], [ --disable-pkinit disable PKINIT plugin support],, -enable_pkinit=yes) -if test "$enable_pkinit" = yes; then +enable_pkinit=try) +if test "$enable_pkinit" = yes || test "$enable_pkinit" = try; then AC_CACHE_CHECK(for a recent enough OpenSSL, k5_cv_openssl_version_okay, [AC_COMPILE_IFELSE([#include #if OPENSSL_VERSION_NUMBER < 0x00908000L @@ -897,8 +897,10 @@ AC_CHECK_LIB(crypto, PKCS7_get_signer_info) LIBS="$old_LIBS" fi -if test "$k5_cv_openssl_version_okay" = yes && test "$enable_pkinit" = yes; then +if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then K5_GEN_MAKEFILE(plugins/preauth/pkinit) +elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then + AC_MSG_ERROR([Version of OpenSSL is too old; cannot enable PKINIT.]) else AC_DEFINE([DISABLE_PKINIT], 1, [Define to disable PKINIT plugin support]) AC_MSG_NOTICE([Disabling PKINIT support.]) From tlyu at MIT.EDU Sun May 24 18:50:18 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:50:18 -0400 Subject: svn rev #22371: branches/krb5-1-7/src/util/support/ Message-ID: <200905242250.n4OMoIVt017754@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22371 Commit By: tlyu Log Message: ticket: 6486 version_fixed: 1.7 pull up r22348 from trunk ------------------------------------------------------------------------ r22348 | tlyu | 2009-05-13 22:41:37 +0200 (Wed, 13 May 2009) | 13 lines ticket: 6486 tags: pullup target_version: 1.7 In util/support/utf8_conv.c, the SWAP16 macro is invoked with an argument that has side effects. On platforms where SWAP16 can evaluate its argument twice (including platforms where utf8_conv.c creates a fallback definition for the SWAP16 macro), this can cause a read overrun by a factor of two. Rearrange the data flow to avoid calling SWAP16 with an argument that has side effects. Changed Files: U branches/krb5-1-7/src/util/support/utf8_conv.c Modified: branches/krb5-1-7/src/util/support/utf8_conv.c =================================================================== --- branches/krb5-1-7/src/util/support/utf8_conv.c 2009-05-24 19:58:47 UTC (rev 22370) +++ branches/krb5-1-7/src/util/support/utf8_conv.c 2009-05-24 22:50:17 UTC (rev 22371) @@ -267,12 +267,11 @@ { while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) { /* Get UTF-8 size of next wide char */ + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, NULL); if (n < 1) @@ -289,12 +288,11 @@ n = 1; /* In case of empty ucs2str */ while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) { + ch = *ucs2str++; #ifdef K5_BE if (little_endian) - ch = SWAP16(*ucs2str++); - else + ch = SWAP16(ch); #endif - ch = *ucs2str++; n = krb5int_ucs2_to_utf8(ch, p); From tlyu at MIT.EDU Sun May 24 18:50:30 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:50:30 -0400 Subject: svn rev #22372: branches/krb5-1-7/src/ include/ lib/krb5/unicode/ util/support/ Message-ID: <200905242250.n4OMoUn5017794@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22372 Commit By: tlyu Log Message: ticket: 6489 version_fixed: 1.7 pull up r22350 from trunk ------------------------------------------------------------------------ r22350 | ghudson | 2009-05-14 18:16:32 +0200 (Thu, 14 May 2009) | 9 lines ticket: 6489 subject: UCS2 support doesn't handle upper half of BMP tags: pullup target_version: 1.7 Make krb5_ucs2 an unsigned type. Eliminate the need for distinguished values for ucs2 and ucs4 characters by changing the API of the single- character conversion routines. Changed Files: U branches/krb5-1-7/src/include/k5-utf8.h U branches/krb5-1-7/src/lib/krb5/unicode/ucstr.c U branches/krb5-1-7/src/util/support/utf8.c Modified: branches/krb5-1-7/src/include/k5-utf8.h =================================================================== --- branches/krb5-1-7/src/include/k5-utf8.h 2009-05-24 22:50:17 UTC (rev 22371) +++ branches/krb5-1-7/src/include/k5-utf8.h 2009-05-24 22:50:30 UTC (rev 22372) @@ -84,9 +84,9 @@ #endif #if INT_MAX == 0x7fff -typedef int krb5_ucs2; +typedef unsigned int krb5_ucs2; #elif SHRT_MAX == 0x7fff -typedef short krb5_ucs2; +typedef unsigned short krb5_ucs2; #else #error undefined 16 bit type #endif @@ -101,15 +101,12 @@ #error: undefined 32 bit type #endif -#define KRB5_UCS2_INVALID ((krb5_ucs2)0x8000) -#define KRB5_UCS4_INVALID ((krb5_ucs4)0x80000000) - #define KRB5_MAX_UTF8_LEN (sizeof(krb5_ucs2) * 3/2) -krb5_ucs2 krb5int_utf8_to_ucs2(const char *p); +int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out); size_t krb5int_ucs2_to_utf8(krb5_ucs2 c, char *buf); -krb5_ucs4 krb5int_utf8_to_ucs4(const char *p); +int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out); size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf); int Modified: branches/krb5-1-7/src/lib/krb5/unicode/ucstr.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/unicode/ucstr.c 2009-05-24 22:50:17 UTC (rev 22371) +++ branches/krb5-1-7/src/lib/krb5/unicode/ucstr.c 2009-05-24 22:50:30 UTC (rev 22372) @@ -397,8 +397,7 @@ /* convert and normalize 1st string */ for (i = 0, ulen = 0; i < l1; i += len, ulen++) { - ucs[ulen] = krb5int_utf8_to_ucs4(s1 + i); - if (ucs[ulen] == KRB5_UCS4_INVALID) { + if (krb5int_utf8_to_ucs4(s1 + i, &ucs[ulen]) == -1) { free(ucs); return -1; /* what to do??? */ } @@ -420,8 +419,7 @@ /* convert and normalize 2nd string */ for (i = 0, ulen = 0; i < l2; i += len, ulen++) { - ucs[ulen] = krb5int_utf8_to_ucs4(s2 + i); - if (ucs[ulen] == KRB5_UCS4_INVALID) { + if (krb5int_utf8_to_ucs4(s2 + i, &ucs[ulen]) == -1) { free(ucsout1); free(ucs); return 1; /* what to do??? */ Modified: branches/krb5-1-7/src/util/support/utf8.c =================================================================== --- branches/krb5-1-7/src/util/support/utf8.c 2009-05-24 22:50:17 UTC (rev 22371) +++ branches/krb5-1-7/src/util/support/utf8.c 2009-05-24 22:50:30 UTC (rev 22372) @@ -159,7 +159,11 @@ return i; } -krb5_ucs4 krb5int_utf8_to_ucs4(const char *p) +/* + * Convert a UTF8 character to a UCS4 character. Return 0 on success, + * -1 on failure. + */ +int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out) { const unsigned char *c = (const unsigned char *) p; krb5_ucs4 ch; @@ -167,33 +171,35 @@ static unsigned char mask[] = { 0, 0x7f, 0x1f, 0x0f, 0x07, 0x03, 0x01 }; + *out = 0; len = KRB5_UTF8_CHARLEN2(p, len); if (len == 0) - return KRB5_UCS4_INVALID; + return -1; ch = c[0] & mask[len]; for (i = 1; i < len; i++) { - if ((c[i] & 0xc0) != 0x80) { - return KRB5_UCS4_INVALID; - } + if ((c[i] & 0xc0) != 0x80) + return -1; ch <<= 6; ch |= c[i] & 0x3f; } - return ch; + *out = ch; + return 0; } -krb5_ucs2 krb5int_utf8_to_ucs2(const char *p) +int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out) { - krb5_ucs4 ch = krb5int_utf8_to_ucs4(p); + krb5_ucs4 ch; - if (ch == KRB5_UCS4_INVALID || ch > SHRT_MAX) - return KRB5_UCS2_INVALID; - - return (krb5_ucs2)ch; + *out = 0; + if (krb5int_utf8_to_ucs4(p, &ch) == -1 || ch > 0xFFFF) + return -1; + *out = (krb5_ucs2) ch; + return 0; } /* conv UCS-2 to UTF-8, not used */ @@ -446,10 +452,13 @@ /* like strchr() */ char *krb5int_utf8_strchr(const char *str, const char *chr) { + krb5_ucs4 chs, ch; + + if (krb5int_utf8_to_ucs4(chr, &ch) == -1) + return NULL; for ( ; *str != '\0'; KRB5_UTF8_INCR(str)) { - if (krb5int_utf8_to_ucs4(str) == krb5int_utf8_to_ucs4(chr)) { + if (krb5int_utf8_to_ucs4(str, &chs) == 0 && chs == ch) return (char *)str; - } } return NULL; @@ -458,14 +467,14 @@ /* like strcspn() but returns number of bytes, not characters */ size_t krb5int_utf8_strcspn(const char *str, const char *set) { - const char *cstr; - const char *cset; + const char *cstr, *cset; + krb5_ucs4 chstr, chset; for (cstr = str; *cstr != '\0'; KRB5_UTF8_INCR(cstr)) { for (cset = set; *cset != '\0'; KRB5_UTF8_INCR(cset)) { - if (krb5int_utf8_to_ucs4(cstr) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(cstr, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) return cstr - str; - } } } @@ -475,18 +484,16 @@ /* like strspn() but returns number of bytes, not characters */ size_t krb5int_utf8_strspn(const char *str, const char *set) { - const char *cstr; - const char *cset; + const char *cstr, *cset; + krb5_ucs4 chstr, chset; for (cstr = str; *cstr != '\0'; KRB5_UTF8_INCR(cstr)) { for (cset = set; ; KRB5_UTF8_INCR(cset)) { - if (*cset == '\0') { + if (*cset == '\0') return cstr - str; - } - - if (krb5int_utf8_to_ucs4(cstr) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(cstr, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) break; - } } } @@ -496,13 +503,14 @@ /* like strpbrk(), replaces strchr() as well */ char *krb5int_utf8_strpbrk(const char *str, const char *set) { + const char *cset; + krb5_ucs4 chstr, chset; + for ( ; *str != '\0'; KRB5_UTF8_INCR(str)) { - const char *cset; - for (cset = set; *cset != '\0'; KRB5_UTF8_INCR(cset)) { - if (krb5int_utf8_to_ucs4(str) == krb5int_utf8_to_ucs4(cset)) { + if (krb5int_utf8_to_ucs4(str, &chstr) == 0 + && krb5int_utf8_to_ucs4(cset, &chset) == 0 && chstr == chset) return (char *)str; - } } } From tlyu at MIT.EDU Sun May 24 18:50:44 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:50:44 -0400 Subject: svn rev #22373: branches/krb5-1-7/src/lib/gssapi/krb5/ Message-ID: <200905242250.n4OMoiFI017847@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22373 Commit By: tlyu Log Message: ticket: 6488 version_fixed: 1.7 pull up r22351, r22354 from trunk ------------------------------------------------------------------------ r22354 | hartmans | 2009-05-18 21:08:48 +0200 (Mon, 18 May 2009) | 8 lines ticket: 6488 target_version: 1.7 tags: pullup Copy the sequence key rather than the subkey for lucid contexts in RFC 1964 mode, so that we map to raw des enctypes rather than say des-cbc-crc. ------------------------------------------------------------------------ r22351 | ghudson | 2009-05-14 18:50:52 +0200 (Thu, 14 May 2009) | 9 lines ticket: 6488 status: open tags: pullup target_version: 1.7 gss_krb5int_export_lucid_sec_context was erroneously copying the first sizeof(void *) bytes of the context into data_set, instead of the pointer to the context. Changed Files: U branches/krb5-1-7/src/lib/gssapi/krb5/lucid_context.c Modified: branches/krb5-1-7/src/lib/gssapi/krb5/lucid_context.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/krb5/lucid_context.c 2009-05-24 22:50:30 UTC (rev 22372) +++ branches/krb5-1-7/src/lib/gssapi/krb5/lucid_context.c 2009-05-24 22:50:44 UTC (rev 22373) @@ -107,7 +107,7 @@ goto error_out; } - rep.value = lctx; + rep.value = &lctx; rep.length = sizeof(lctx); retval = generic_gss_add_buffer_set_member(minor_status, &rep, data_set); @@ -213,7 +213,7 @@ lctx->rfc1964_kd.sign_alg = gctx->signalg; lctx->rfc1964_kd.seal_alg = gctx->sealalg; /* Copy key */ - if ((retval = copy_keyblock_to_lucid_key(gctx->subkey, + if ((retval = copy_keyblock_to_lucid_key(gctx->seq, &lctx->rfc1964_kd.ctx_key))) goto error_out; } From tlyu at MIT.EDU Sun May 24 18:50:59 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:50:59 -0400 Subject: svn rev #22374: branches/krb5-1-7/src/lib/ crypto/ crypto/arcfour/ krb5/krb/ Message-ID: <200905242250.n4OMoxfd017886@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22374 Commit By: tlyu Log Message: ticket: 6490 version_fixed: 1.7 pull up 22355, 22356, 22357 from trunk ------------------------------------------------------------------------ r22357 | ghudson | 2009-05-20 04:05:53 +0200 (Wed, 20 May 2009) | 6 lines ticket: 6490 Restore compatibility with KDCs using key usage 8 to encrypt TGS replies in a subkey, by implementing a fallback in krb5_arcfour_decrypt. ------------------------------------------------------------------------ r22356 | ghudson | 2009-05-20 01:17:49 +0200 (Wed, 20 May 2009) | 13 lines ticket: 6490 status: open tags: pullup When using keyed checksum types with TGS subkeys, Microsoft AD 2003 verifies the checksum using the subkey, whereas MIT and Heimdal verify it using the TGS session key. (RFC 4120 is actually silent on which is correct; RFC 4757 specifies the TGS session key.) To sidestep this interop issue, don't use keyed checksum types with RC4 keys without explicit configuration in krb5.conf. Using keyed checksum types with AES is fine since, experimentally, AD 2008 accepts checksums keyed with the TGS session key. ------------------------------------------------------------------------ r22355 | hartmans | 2009-05-19 01:28:53 +0200 (Tue, 19 May 2009) | 5 lines ticket: 6490 status: open In practice, key usage 9 requires no translation. Changed Files: U branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c U branches/krb5-1-7/src/lib/crypto/t_encrypt.c U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c Modified: branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c 2009-05-24 22:50:44 UTC (rev 22373) +++ branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c 2009-05-24 22:50:58 UTC (rev 22374) @@ -47,7 +47,7 @@ case 8: return 8; case 9: /* tgs-rep encrypted with subkey */ - return 8; + return 9; case 10: /* ap-rep authentication cksum */ return 10; /* xxx Microsoft never uses this*/ case 11: /* app-req authenticator */ @@ -252,41 +252,58 @@ checksum.length=hashsize; checksum.data=input->data; - /* compute the salt */ ms_usage=krb5int_arcfour_translate_usage(usage); - if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { - strncpy(salt.data, krb5int_arcfour_l40, salt.length); - store_32_le(ms_usage, salt.data+10); - } else { - salt.length=4; - store_32_le(ms_usage, salt.data); - } - ret=krb5_hmac(hash, key, 1, &salt, &d1); - if (ret) - goto cleanup; - memcpy(k2.contents, k1.contents, k2.length); + /* We may have to try two ms_usage values; see below. */ + do { + /* compute the salt */ + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) { + strncpy(salt.data, krb5int_arcfour_l40, salt.length); + store_32_le(ms_usage, salt.data + 10); + } else { + salt.length = 4; + store_32_le(ms_usage, salt.data); + } + ret = krb5_hmac(hash, key, 1, &salt, &d1); + if (ret) + goto cleanup; - if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) - memset(k1.contents+7, 0xab, 9); + memcpy(k2.contents, k1.contents, k2.length); + + if (key->enctype == ENCTYPE_ARCFOUR_HMAC_EXP) + memset(k1.contents + 7, 0xab, 9); - ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); - if (ret) - goto cleanup; + ret = krb5_hmac(hash, &k1, 1, &checksum, &d3); + if (ret) + goto cleanup; - ret=(*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext); - if (ret) - goto cleanup; + ret = (*(enc->decrypt))(&k3, ivec, &ciphertext, &plaintext); + if (ret) + goto cleanup; - ret=krb5_hmac(hash, &k2, 1, &plaintext, &d1); - if (ret) - goto cleanup; + ret = krb5_hmac(hash, &k2, 1, &plaintext, &d1); + if (ret) + goto cleanup; - if (memcmp(checksum.data, d1.data, hashsize) != 0) { - ret=KRB5KRB_AP_ERR_BAD_INTEGRITY; - goto cleanup; - } + if (memcmp(checksum.data, d1.data, hashsize) != 0) { + if (ms_usage == 9) { + /* + * RFC 4757 specifies usage 8 for TGS-REP encrypted + * parts encrypted in a subkey, but the value used by MS + * is actually 9. We now use 9 to start with, but fall + * back to 8 on failure in case we are communicating + * with a KDC using the value from the RFC. + */ + ms_usage = 8; + continue; + } + ret = KRB5KRB_AP_ERR_BAD_INTEGRITY; + goto cleanup; + } + break; + } while (1); + memcpy(output->data, plaintext.data+CONFOUNDERLENGTH, (plaintext.length-CONFOUNDERLENGTH)); output->length=plaintext.length-CONFOUNDERLENGTH; Modified: branches/krb5-1-7/src/lib/crypto/t_encrypt.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_encrypt.c 2009-05-24 22:50:44 UTC (rev 22373) +++ branches/krb5-1-7/src/lib/crypto/t_encrypt.c 2009-05-24 22:50:58 UTC (rev 22374) @@ -47,14 +47,17 @@ 0 }; -#define test(msg, exp) \ -printf ("%s: . . . ", msg); \ -retval = (exp);\ -if( retval) { \ - printf( "Failed: %s\n", error_message(retval)); \ - abort(); \ -} else printf ("OK\n"); - +static void +test(const char *msg, krb5_error_code retval) +{ + printf("%s: . . . ", msg); + if (retval) { + printf("Failed: %s\n", error_message(retval)); + abort(); + } else + printf("OK\n"); +} + static int compare_results(krb5_data *d1, krb5_data *d2) { if (d1->length != d2->length) { @@ -186,6 +189,21 @@ krb5_free_keyblock (context, key); } + /* Test the RC4 decrypt fallback from key usage 9 to 8. */ + test ("Initializing an RC4 keyblock", + krb5_init_keyblock (context, ENCTYPE_ARCFOUR_HMAC, 0, &key)); + test ("Generating random RC4 key", + krb5_c_make_random_key (context, ENCTYPE_ARCFOUR_HMAC, key)); + enc_out.ciphertext = out; + krb5_c_encrypt_length (context, key->enctype, in.length, &len); + enc_out.ciphertext.length = len; + check.length = 2048; + test ("Encrypting with RC4 key usage 8", + krb5_c_encrypt (context, key, 8, 0, &in, &enc_out)); + test ("Decrypting with RC4 key usage 9", + krb5_c_decrypt (context, key, 9, 0, &enc_out, &check)); + test ("Comparing", compare_results (&in, &check)); + free(out.data); free(out2.data); free(check.data); Modified: branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-05-24 22:50:44 UTC (rev 22373) +++ branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c 2009-05-24 22:50:58 UTC (rev 22374) @@ -68,6 +68,8 @@ case ENCTYPE_DES_CBC_CRC: case ENCTYPE_DES_CBC_MD4: case ENCTYPE_DES_CBC_MD5: + case ENCTYPE_ARCFOUR_HMAC: + case ENCTYPE_ARCFOUR_HMAC_EXP: cksumtype = context->kdc_req_sumtype; break; default: From tlyu at MIT.EDU Sun May 24 18:51:08 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:51:08 -0400 Subject: svn rev #22375: branches/krb5-1-7/src/kdc/ Message-ID: <200905242251.n4OMp8ZW017941@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22375 Commit By: tlyu Log Message: ticket: 6492 version_fixed: 1.7 pull up r22360 from trunk ------------------------------------------------------------------------ r22360 | ghudson | 2009-05-22 16:08:25 +0200 (Fri, 22 May 2009) | 10 lines ticket: 6492 subject: Remove spurious assertion in handle_authdata tags: pullup target_version: 1.7 In handle_authdata in the KDC, remove a spurious assertion (added in r21566 on the mskrb-integ branch) that authdata starts out empty. authdata can be legitimately added by check_padata, which precedes handle_authdata, and this happens with pkinit. Changed Files: U branches/krb5-1-7/src/kdc/kdc_authdata.c Modified: branches/krb5-1-7/src/kdc/kdc_authdata.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_authdata.c 2009-05-24 22:50:58 UTC (rev 22374) +++ branches/krb5-1-7/src/kdc/kdc_authdata.c 2009-05-24 22:51:08 UTC (rev 22375) @@ -574,7 +574,6 @@ krb5_error_code code = 0; int i; - assert(enc_tkt_reply->authorization_data == NULL); for (i = 0; i < n_authdata_systems; i++) { const krb5_authdata_systems *asys = &authdata_systems[i]; From tlyu at MIT.EDU Sun May 24 18:51:33 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:51:33 -0400 Subject: svn rev #22376: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905242251.n4OMpXam017982@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22376 Commit By: tlyu Log Message: ticket: 6495 version_fixed: 1.7 pull up r22368 from trunk ------------------------------------------------------------------------ r22368 | ghudson | 2009-05-24 02:48:31 +0200 (Sun, 24 May 2009) | 10 lines ticket: 6495 subject: Fix test rules for non-gmake make versions target_version: 1.7 tags: pullup The build rules for the new t_ad_fx_armor and t_authdata test programs used $<, which is only portable for implicit rules (but is valid in gmake for all rules). Stop using $< in those rules so that "make check" works with System V make. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/Makefile.in Modified: branches/krb5-1-7/src/lib/krb5/krb/Makefile.in =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-05-24 22:51:08 UTC (rev 22375) +++ branches/krb5-1-7/src/lib/krb5/krb/Makefile.in 2009-05-24 22:51:32 UTC (rev 22376) @@ -319,10 +319,10 @@ t_walk_rtree: $(T_WALK_RTREE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_walk_rtree $(T_WALK_RTREE_OBJS) $(KRB5_BASE_LIBS) t_ad_fx_armor: t_ad_fx_armor.o - $(CC_LINK) -o $@ $< $(KRB5_BASE_LIBS) + $(CC_LINK) -o $@ t_ad_fx_armor.o $(KRB5_BASE_LIBS) t_authdata: t_authdata.o copy_auth.o - $(CC_LINK) -o $@ $< copy_auth.o $(KRB5_BASE_LIBS) + $(CC_LINK) -o $@ t_authdata.o copy_auth.o $(KRB5_BASE_LIBS) t_kerb: $(T_KERB_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_kerb $(T_KERB_OBJS) $(KRB5_BASE_LIBS) From tlyu at MIT.EDU Sun May 24 18:51:43 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Sun, 24 May 2009 18:51:43 -0400 Subject: svn rev #22377: branches/krb5-1-7/src/kdc/ Message-ID: <200905242251.n4OMphZT018053@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22377 Commit By: tlyu Log Message: ticket: 6496 version_fixed: 1.7 pull up r22369 from trunk ------------------------------------------------------------------------ r22369 | ghudson | 2009-05-24 17:53:51 +0200 (Sun, 24 May 2009) | 11 lines ticket: 6496 subject: Fix vector initialization error in KDC preauth code target_version: 1.7 tags: pullup In the KDC, get_preauth_hint_list had two bugs initializing the preauth array. It was allocating 21 extra entries instead of two due to a typo (harmless), and it was only zeroing up through one extra entry (harmful). Adjust the code to use calloc to avoid further disagreements of this nature. Changed Files: U branches/krb5-1-7/src/kdc/kdc_preauth.c Modified: branches/krb5-1-7/src/kdc/kdc_preauth.c =================================================================== --- branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-05-24 22:51:32 UTC (rev 22376) +++ branches/krb5-1-7/src/kdc/kdc_preauth.c 2009-05-24 22:51:42 UTC (rev 22377) @@ -972,11 +972,10 @@ e_data->data = 0; hw_only = isflagset(client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); - /* Allocate 1 entry for the terminator and one for the cookie*/ - pa_data = malloc(sizeof(krb5_pa_data *) * (n_preauth_systems+21)); + /* Allocate two extra entries for the cookie and the terminator. */ + pa_data = calloc(n_preauth_systems + 2, sizeof(krb5_pa_data *)); if (pa_data == 0) return; - memset(pa_data, 0, sizeof(krb5_pa_data *) * (n_preauth_systems+1)); pa = pa_data; for (ap = preauth_systems; ap->type != -1; ap++) { From tlyu at MIT.EDU Mon May 25 01:43:43 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 25 May 2009 01:43:43 -0400 Subject: svn rev #22378: branches/krb5-1-7/src/lib/gssapi/spnego/ Message-ID: <200905250543.n4P5hhf4002731@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22378 Commit By: tlyu Log Message: ticket: 6498 target_version: 1.7 tags: pullup version_fixed: 1.7 subject: spnego_mech.c syntax error under _GSS_STATIC_LINK status: resolved pull up r22361 from trunk ------------------------------------------------------------------------ r22361 | raeburn | 2009-05-22 16:12:17 +0200 (Fri, 22 May 2009) | 2 lines fix minor syntax error Changed Files: U branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c Modified: branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c =================================================================== --- branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-05-24 22:51:42 UTC (rev 22377) +++ branches/krb5-1-7/src/lib/gssapi/spnego/spnego_mech.c 2009-05-25 05:43:42 UTC (rev 22378) @@ -283,7 +283,7 @@ MAKE_INIT_FUNCTION(gss_krb5int_lib_init); MAKE_FINI_FUNCTION(gss_krb5int_lib_fini); -int gss_krb5int_lib_init(void) +int gss_krb5int_lib_init(void); #endif /* _GSS_STATIC_LINK */ int gss_spnegoint_lib_init(void) From tlyu at MIT.EDU Mon May 25 01:43:56 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 25 May 2009 01:43:56 -0400 Subject: svn rev #22379: branches/krb5-1-7/src/lib/krb5/krb/ Message-ID: <200905250543.n4P5huwX002797@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22379 Commit By: tlyu Log Message: ticket: 6499 target_version: 1.7 tags: pullup version_fixed: 1.7 subject: use printf format attribute only with gcc status: resolved pull up r22363 from trunk ------------------------------------------------------------------------ r22363 | raeburn | 2009-05-22 19:19:37 +0200 (Fri, 22 May 2009) | 2 lines Use printf format attribute only with gcc. Changed Files: U branches/krb5-1-7/src/lib/krb5/krb/t_pac.c U branches/krb5-1-7/src/lib/krb5/krb/t_princ.c Modified: branches/krb5-1-7/src/lib/krb5/krb/t_pac.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_pac.c 2009-05-25 05:43:42 UTC (rev 22378) +++ branches/krb5-1-7/src/lib/krb5/krb/t_pac.c 2009-05-25 05:43:55 UTC (rev 22379) @@ -96,8 +96,10 @@ static time_t authtime = 1120440609; static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; +#if !defined(__cplusplus) && (__GNUC__ > 2) static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) __attribute__((__format__(__printf__, 3, 0))); +#endif static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) Modified: branches/krb5-1-7/src/lib/krb5/krb/t_princ.c =================================================================== --- branches/krb5-1-7/src/lib/krb5/krb/t_princ.c 2009-05-25 05:43:42 UTC (rev 22378) +++ branches/krb5-1-7/src/lib/krb5/krb/t_princ.c 2009-05-25 05:43:55 UTC (rev 22379) @@ -38,8 +38,10 @@ * there when it's destroyed. */ +#if !defined(__cplusplus) && (__GNUC__ > 2) static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) __attribute__((__format__(__printf__, 3, 0))); +#endif static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) From tlyu at MIT.EDU Mon May 25 01:44:09 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Mon, 25 May 2009 01:44:09 -0400 Subject: svn rev #22380: branches/krb5-1-7/src/lib/crypto/ Message-ID: <200905250544.n4P5i9GJ002876@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22380 Commit By: tlyu Log Message: ticket: 6500 target_version: 1.7 tags: pullup version_fixed: 1.7 subject: use correct type for krb5_c_prf_length length arg pull up r22364 from trunk ------------------------------------------------------------------------ r22364 | raeburn | 2009-05-22 19:20:15 +0200 (Fri, 22 May 2009) | 2 lines Use correct type for krb5_c_prf_length length arg. Changed Files: U branches/krb5-1-7/src/lib/crypto/t_prf.c Modified: branches/krb5-1-7/src/lib/crypto/t_prf.c =================================================================== --- branches/krb5-1-7/src/lib/crypto/t_prf.c 2009-05-25 05:43:55 UTC (rev 22379) +++ branches/krb5-1-7/src/lib/crypto/t_prf.c 2009-05-25 05:44:09 UTC (rev 22380) @@ -23,13 +23,14 @@ * this software for any purpose. It is provided "as is" without express * or implied warranty. * - * This file contains tests for the PRF code in Kerberos. IT reads - *an input file, and writes an output file. It is assumed that the - *output file will be diffed against expected output to see whether - *regression tests pass. The input file is a very primitive format. - *It includes an enctype and to be string2keyed followed by a number of bytes of input - *length, followed by that many bytes of input. The program outputs - *krb5_c_prf of that input and key as a hex string. + * This file contains tests for the PRF code in Kerberos. IT reads an + * input file, and writes an output file. It is assumed that the + * output file will be diffed against expected output to see whether + * regression tests pass. The input file is a very primitive format. + * It includes an enctype and password to be string2keyed followed by + * a number of bytes of input length, followed by that many bytes of + * input. The program outputs krb5_c_prf of that input and key as a + * hex string. */ #include "k5-int.h" @@ -39,7 +40,7 @@ krb5_data input, output; krb5_keyblock *key = NULL; unsigned int in_length; - unsigned int i; + size_t i; while (1) { krb5_enctype enctype; char s[1025]; From ghudson at MIT.EDU Mon May 25 12:40:01 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 25 May 2009 12:40:01 -0400 Subject: svn rev #22381: trunk/src/plugins/preauth/pkinit/ Message-ID: <200905251640.n4PGe1sV023489@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22381 Commit By: ghudson Log Message: ticket: 6501 subject: Temporarily disable FAST PKINIT for 1.7 release tags: pullup target_version: 1.7 There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. Changed Files: U trunk/src/plugins/preauth/pkinit/pkinit_clnt.c U trunk/src/plugins/preauth/pkinit/pkinit_srv.c Modified: trunk/src/plugins/preauth/pkinit/pkinit_clnt.c =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-25 05:44:09 UTC (rev 22380) +++ trunk/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-25 16:40:00 UTC (rev 22381) @@ -40,6 +40,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + #ifdef LONGHORN_BETA_COMPAT /* * It is anticipated that all the special checks currently @@ -1027,10 +1030,19 @@ int processing_request = 0; pkinit_context plgctx = (pkinit_context)plugin_context; pkinit_req_context reqctx = (pkinit_req_context)request_context; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't use PKINIT if also using FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (plgctx == NULL || reqctx == NULL) return EINVAL; Modified: trunk/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== --- trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-25 05:44:09 UTC (rev 22380) +++ trunk/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-25 16:40:00 UTC (rev 22381) @@ -35,6 +35,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req * request, @@ -146,9 +149,19 @@ { krb5_error_code retval = 0; pkinit_kdc_context plgctx = NULL; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_server_get_edata: entered!\n"); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't advertise PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + /* * If we don't have a realm context for the given realm, * don't tell the client that we support pkinit! @@ -344,11 +357,21 @@ krb5_authdata **my_authz_data = NULL, *pkinit_authz_data = NULL; krb5_kdc_req *tmp_as_req = NULL; krb5_data k5data; + krb5_keyblock *armor_key; pkiDebug("pkinit_verify_padata: entered!\n"); if (data == NULL || data->length <= 0 || data->contents == NULL) return 0; + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't allow PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (pa_plugin_context == NULL || e_data == NULL) return EINVAL; From ghudson at MIT.EDU Mon May 25 12:47:40 2009 From: ghudson at MIT.EDU (ghudson@MIT.EDU) Date: Mon, 25 May 2009 12:47:40 -0400 Subject: svn rev #22382: trunk/src/clients/kinit/ Message-ID: <200905251647.n4PGlejM024042@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22382 Commit By: ghudson Log Message: ticket: 6497 tags: pullup target_version: 1.7 Fix up kinit -T documentation. Changed Files: U trunk/src/clients/kinit/kinit.M U trunk/src/clients/kinit/kinit.c Modified: trunk/src/clients/kinit/kinit.M =================================================================== --- trunk/src/clients/kinit/kinit.M 2009-05-25 16:40:00 UTC (rev 22381) +++ trunk/src/clients/kinit/kinit.M 2009-05-25 16:47:40 UTC (rev 22382) @@ -131,8 +131,10 @@ option; otherwise the default name and location will be used. .TP \fB\-T\fP \fIarmor_ccache\fP -Specifies the name of a credential cache that already contains a ticket. This ccache -will be used to armor the request Ideally, an attacker should have to attack both the armor ticket and the key of the principal. +Specifies the name of a credential cache that already contains a +ticket. This ccache will be used to armor the request. Ideally, an +attacker should have to attack both the armor ticket and the key of +the principal. .TP \fB\-c\fP \fIcache_name\fP use Modified: trunk/src/clients/kinit/kinit.c =================================================================== --- trunk/src/clients/kinit/kinit.c 2009-05-25 16:40:00 UTC (rev 22381) +++ trunk/src/clients/kinit/kinit.c 2009-05-25 16:47:40 UTC (rev 22382) @@ -198,7 +198,7 @@ "[-k [-t keytab_file]] " "[-c cachename] " USAGE_BREAK - "[-S service_name]""-T ticket_armor_cache" + "[-S service_name] [-T ticket_armor_cache]" USAGE_BREAK "[-X [=]] [principal]" "\n\n", @@ -223,6 +223,7 @@ fprintf(stderr, "\t-t filename of keytab to use\n"); fprintf(stderr, "\t-c Kerberos 5 cache name\n"); fprintf(stderr, "\t-S service\n"); + fprintf(stderr, "\t-T armor credential cache\n"); fprintf(stderr, "\t-X [=]\n"); exit(2); } From raeburn at MIT.EDU Mon May 25 17:37:02 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 25 May 2009 17:37:02 -0400 Subject: svn rev #22383: trunk/src/tests/dejagnu/krb-standalone/ Message-ID: <200905252137.n4PLb2cT012676@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22383 Commit By: raeburn Log Message: Check for 'encoding ### bytes' message consistently, accepting full base64 encoding. Changed Files: U trunk/src/tests/dejagnu/krb-standalone/gssftp.exp Modified: trunk/src/tests/dejagnu/krb-standalone/gssftp.exp =================================================================== --- trunk/src/tests/dejagnu/krb-standalone/gssftp.exp 2009-05-25 16:47:40 UTC (rev 22382) +++ trunk/src/tests/dejagnu/krb-standalone/gssftp.exp 2009-05-25 21:37:02 UTC (rev 22383) @@ -229,7 +229,7 @@ return } -re "--->\[^\r\n\]*\r\n" { exp_continue } - -re "encoding \[0-9\]* bytes MIC \[a-zA-Z/+\]*" { exp_continue } + -re "encoding \[0-9\]* bytes MIC \[a-zA-Z0-9/+=\]*\r\n" { exp_continue } -re "sealed \[A-Z()\]*" { exp_continue } -re "secure_command\[A-Z()\]*" { exp_continue } timeout { From raeburn at MIT.EDU Mon May 25 17:48:49 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Mon, 25 May 2009 17:48:49 -0400 Subject: svn rev #22384: trunk/src/appl/bsd/ Message-ID: <200905252148.n4PLmnrF013972@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22384 Commit By: raeburn Log Message: On error getting forwarded creds, actually print out the error. Changed Files: U trunk/src/appl/bsd/kcmd.c Modified: trunk/src/appl/bsd/kcmd.c =================================================================== --- trunk/src/appl/bsd/kcmd.c 2009-05-25 21:37:02 UTC (rev 22383) +++ trunk/src/appl/bsd/kcmd.c 2009-05-25 21:48:49 UTC (rev 22384) @@ -551,7 +551,8 @@ 0, options & OPTS_FORWARDABLE_CREDS, &outbuf); if (status) { - fprintf(stderr, "kcmd: Error getting forwarded creds\n"); + fprintf(stderr, "kcmd: Error getting forwarded creds: %s\n", + error_message(status)); goto bad2; } From tlyu at MIT.EDU Tue May 26 03:58:28 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 03:58:28 -0400 Subject: svn rev #22385: branches/krb5-1-7/src/plugins/preauth/pkinit/ Message-ID: <200905260758.n4Q7wSHs025061@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22385 Commit By: tlyu Log Message: ticket: 6501 version_fixed: 1.7 pull up r22381 from trunk ------------------------------------------------------------------------ r22381 | ghudson | 2009-05-25 18:40:00 +0200 (Mon, 25 May 2009) | 10 lines ticket: 6501 subject: Temporarily disable FAST PKINIT for 1.7 release tags: pullup target_version: 1.7 There are protocol issues and implementation defects surrounding the combination of FAST an PKINIT currently. To avoid impacting the 1.7 scheduled and to avoid creating interoperability problems later, disable the combination until the problems are resolved. Changed Files: U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c U branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-25 21:48:49 UTC (rev 22384) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_clnt.c 2009-05-26 07:58:28 UTC (rev 22385) @@ -40,6 +40,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + #ifdef LONGHORN_BETA_COMPAT /* * It is anticipated that all the special checks currently @@ -1027,10 +1030,19 @@ int processing_request = 0; pkinit_context plgctx = (pkinit_context)plugin_context; pkinit_req_context reqctx = (pkinit_req_context)request_context; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_get_armor_key(context, get_data_proc, rock, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't use PKINIT if also using FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (plgctx == NULL || reqctx == NULL) return EINVAL; Modified: branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c =================================================================== --- branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-25 21:48:49 UTC (rev 22384) +++ branches/krb5-1-7/src/plugins/preauth/pkinit/pkinit_srv.c 2009-05-26 07:58:28 UTC (rev 22385) @@ -35,6 +35,9 @@ #include "pkinit.h" +/* Remove when FAST PKINIT is settled. */ +#include "../fast_factor.h" + static krb5_error_code pkinit_server_get_edata(krb5_context context, krb5_kdc_req * request, @@ -146,9 +149,19 @@ { krb5_error_code retval = 0; pkinit_kdc_context plgctx = NULL; + krb5_keyblock *armor_key = NULL; pkiDebug("pkinit_server_get_edata: entered!\n"); + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't advertise PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + /* * If we don't have a realm context for the given realm, * don't tell the client that we support pkinit! @@ -344,11 +357,21 @@ krb5_authdata **my_authz_data = NULL, *pkinit_authz_data = NULL; krb5_kdc_req *tmp_as_req = NULL; krb5_data k5data; + krb5_keyblock *armor_key; pkiDebug("pkinit_verify_padata: entered!\n"); if (data == NULL || data->length <= 0 || data->contents == NULL) return 0; + /* Remove (along with armor_key) when FAST PKINIT is settled. */ + retval = fast_kdc_get_armor_key(context, server_get_entry_data, request, + client, &armor_key); + if (retval == 0 && armor_key != NULL) { + /* Don't allow PKINIT if the client used FAST. */ + krb5_free_keyblock(context, armor_key); + return EINVAL; + } + if (pa_plugin_context == NULL || e_data == NULL) return EINVAL; From tlyu at MIT.EDU Tue May 26 03:58:52 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 03:58:52 -0400 Subject: svn rev #22386: branches/krb5-1-7/src/clients/kinit/ Message-ID: <200905260758.n4Q7wqwB025141@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22386 Commit By: tlyu Log Message: ticket: 6497 version_fixed: 1.7 pull up r22382 from trunk ------------------------------------------------------------------------ r22382 | ghudson | 2009-05-25 18:47:40 +0200 (Mon, 25 May 2009) | 6 lines ticket: 6497 tags: pullup target_version: 1.7 Fix up kinit -T documentation. Changed Files: U branches/krb5-1-7/src/clients/kinit/kinit.M U branches/krb5-1-7/src/clients/kinit/kinit.c Modified: branches/krb5-1-7/src/clients/kinit/kinit.M =================================================================== --- branches/krb5-1-7/src/clients/kinit/kinit.M 2009-05-26 07:58:28 UTC (rev 22385) +++ branches/krb5-1-7/src/clients/kinit/kinit.M 2009-05-26 07:58:52 UTC (rev 22386) @@ -131,8 +131,10 @@ option; otherwise the default name and location will be used. .TP \fB\-T\fP \fIarmor_ccache\fP -Specifies the name of a credential cache that already contains a ticket. This ccache -will be used to armor the request Ideally, an attacker should have to attack both the armor ticket and the key of the principal. +Specifies the name of a credential cache that already contains a +ticket. This ccache will be used to armor the request. Ideally, an +attacker should have to attack both the armor ticket and the key of +the principal. .TP \fB\-c\fP \fIcache_name\fP use Modified: branches/krb5-1-7/src/clients/kinit/kinit.c =================================================================== --- branches/krb5-1-7/src/clients/kinit/kinit.c 2009-05-26 07:58:28 UTC (rev 22385) +++ branches/krb5-1-7/src/clients/kinit/kinit.c 2009-05-26 07:58:52 UTC (rev 22386) @@ -198,7 +198,7 @@ "[-k [-t keytab_file]] " "[-c cachename] " USAGE_BREAK - "[-S service_name]""-T ticket_armor_cache" + "[-S service_name] [-T ticket_armor_cache]" USAGE_BREAK "[-X [=]] [principal]" "\n\n", @@ -223,6 +223,7 @@ fprintf(stderr, "\t-t filename of keytab to use\n"); fprintf(stderr, "\t-c Kerberos 5 cache name\n"); fprintf(stderr, "\t-S service\n"); + fprintf(stderr, "\t-T armor credential cache\n"); fprintf(stderr, "\t-X [=]\n"); exit(2); } From tlyu at MIT.EDU Tue May 26 05:41:47 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 05:41:47 -0400 Subject: svn rev #22387: branches/krb5-1-7/doc/api/ Message-ID: <200905260941.n4Q9flDM032730@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22387 Commit By: tlyu Log Message: ticket: 6502 target_version: 1.7 tags: pullup version_fixed: 1.7 subject: typo in doc/api/krb5.tex ------------------------------------------------------------------------ r22287 | ghudson | 2009-04-28 19:54:13 +0200 (Tue, 28 Apr 2009) | 2 lines Fix typo. Changed Files: U branches/krb5-1-7/doc/api/krb5.tex Modified: branches/krb5-1-7/doc/api/krb5.tex =================================================================== --- branches/krb5-1-7/doc/api/krb5.tex 2009-05-26 07:58:52 UTC (rev 22386) +++ branches/krb5-1-7/doc/api/krb5.tex 2009-05-26 09:41:46 UTC (rev 22387) @@ -1500,7 +1500,7 @@ the \funcparam{auth_context} replay cache is not used. If sequence numbers are to be used (i.e., if either -KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENEC is +KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set), then \funcparam{auth_context} local sequence number will be placed in the protected message as its sequence number. From tlyu at MIT.EDU Tue May 26 05:41:55 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 05:41:55 -0400 Subject: svn rev #22388: branches/krb5-1-7/doc/ Message-ID: <200905260941.n4Q9ftn9000330@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22388 Commit By: tlyu Log Message: ticket: 6503 version_fixed: 1.7 target_version: 1.7 tags: pullup subject: typo in admin.texinfo pull up r22266 from trunk ------------------------------------------------------------------------ r22266 | ghudson | 2009-04-22 10:26:17 +0200 (Wed, 22 Apr 2009) | 4 lines In the cross-realm setup example in the admin documentation, use "addprinc" instead of "add_princ" since the latter is not a recognized alias for add_principal. Changed Files: U branches/krb5-1-7/doc/admin.texinfo Modified: branches/krb5-1-7/doc/admin.texinfo =================================================================== --- branches/krb5-1-7/doc/admin.texinfo 2009-05-26 09:41:46 UTC (rev 22387) +++ branches/krb5-1-7/doc/admin.texinfo 2009-05-26 09:41:54 UTC (rev 22388) @@ -3841,10 +3841,10 @@ @smallexample @group @b{shell%:} kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4" - at b{kadmin:} add_princ -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM} + at b{kadmin:} addprinc -requires_preauth krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM} @b{Enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} @b{Re-enter password for principal krbtgt/@value{PRIMARYREALM}@@@value{SECONDREALM}:} - at b{kadmin:} add_princ -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} + at b{kadmin:} addprinc -requires_preauth krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM} @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:} @b{Enter password for principal krbtgt/@value{SECONDREALM}@@@value{PRIMARYREALM}:} @b{kadmin:} From tlyu at MIT.EDU Tue May 26 05:51:12 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 05:51:12 -0400 Subject: svn rev #22389: branches/krb5-1-7/ src/ Message-ID: <200905260951.n4Q9pCAW000944@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22389 Commit By: tlyu Log Message: readme and patchlevel for krb5-1.7-beta3 Changed Files: U branches/krb5-1-7/README U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/README =================================================================== --- branches/krb5-1-7/README 2009-05-26 09:41:54 UTC (rev 22388) +++ branches/krb5-1-7/README 2009-05-26 09:51:12 UTC (rev 22389) @@ -124,7 +124,6 @@ ----------------------- 6481 kdb ldap integration removed rev/recurse kdb5_util dumps -6486 t_pac fails on SPARC Solaris 6487 gss_unwrap_iov fails in stream mode Changes by ticket ID @@ -506,6 +505,21 @@ 6483 man1 in title header for man1 manpages 6484 work around Heimdal not using subkey in TGS-REP 6485 document ok_as_delegate in admin.texinfo +6486 t_pac fails on SPARC Solaris +6488 NFS fails to work with KRB5 1.7 +6489 UCS2 support doesn't handle upper half of BMP +6490 Windows interop with RC4 TGS-REQ subkeys +6492 Remove spurious assertion in handle_authdata +6493 some fixes for 1.7 +6495 Fix test rules for non-gmake make versions +6496 Fix vector initialization error in KDC preauth code +6497 kinit/fast usage message +6498 spnego_mech.c syntax error under _GSS_STATIC_LINK +6499 use printf format attribute only with gcc +6500 use correct type for krb5_c_prf_length length arg +6501 Temporarily disable FAST PKINIT for 1.7 release +6502 typo in doc/api/krb5.tex +6503 typo in admin.texinfo Copyright and Other Legal Notices --------------------------------- Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-05-26 09:41:54 UTC (rev 22388) +++ branches/krb5-1-7/src/patchlevel.h 2009-05-26 09:51:12 UTC (rev 22389) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta2-postrelease" +#define KRB5_RELTAIL "beta3" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "branches/krb5-1-7" +#define KRB5_RELTAG "tags/krb5-1-7-beta3" From tlyu at MIT.EDU Tue May 26 05:52:18 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 05:52:18 -0400 Subject: svn rev #22390: tags/ Message-ID: <200905260952.n4Q9qIXJ001085@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22390 Commit By: tlyu Log Message: krb5-1.7-beta3 Changed Files: A tags/krb5-1-7-beta3/ Copied: tags/krb5-1-7-beta3 (from rev 22389, branches/krb5-1-7) From tlyu at MIT.EDU Tue May 26 05:53:44 2009 From: tlyu at MIT.EDU (tlyu@MIT.EDU) Date: Tue, 26 May 2009 05:53:44 -0400 Subject: svn rev #22391: branches/krb5-1-7/src/ Message-ID: <200905260953.n4Q9ri0G001208@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22391 Commit By: tlyu Log Message: krb5-1.7-beta3-postrelease Changed Files: U branches/krb5-1-7/src/patchlevel.h Modified: branches/krb5-1-7/src/patchlevel.h =================================================================== --- branches/krb5-1-7/src/patchlevel.h 2009-05-26 09:52:18 UTC (rev 22390) +++ branches/krb5-1-7/src/patchlevel.h 2009-05-26 09:53:43 UTC (rev 22391) @@ -53,6 +53,6 @@ #define KRB5_MAJOR_RELEASE 1 #define KRB5_MINOR_RELEASE 7 #define KRB5_PATCHLEVEL 0 -#define KRB5_RELTAIL "beta3" +#define KRB5_RELTAIL "beta3-postrelease" /* #undef KRB5_RELDATE */ -#define KRB5_RELTAG "tags/krb5-1-7-beta3" +#define KRB5_RELTAG "branches/krb5-1-7" From raeburn at MIT.EDU Wed May 27 16:03:47 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Wed, 27 May 2009 16:03:47 -0400 Subject: svn rev #22392: trunk/src/lib/crypto/ Message-ID: <200905272003.n4RK3l5c015435@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22392 Commit By: raeburn Log Message: ticket: 6505 target_version: 1.7 tags: pullup subject: fix t_prf test code properly Correction to patch in r22364: "i" was used in two places, one of which required an int-sized value and the other of which required a size_t. Instead of changing the type, split the two uses into separate variables. Changed Files: U trunk/src/lib/crypto/t_prf.c Modified: trunk/src/lib/crypto/t_prf.c =================================================================== --- trunk/src/lib/crypto/t_prf.c 2009-05-26 09:53:43 UTC (rev 22391) +++ trunk/src/lib/crypto/t_prf.c 2009-05-27 20:03:46 UTC (rev 22392) @@ -40,7 +40,9 @@ krb5_data input, output; krb5_keyblock *key = NULL; unsigned int in_length; - size_t i; + unsigned int i; + size_t prfsz; + while (1) { krb5_enctype enctype; char s[1025]; @@ -65,17 +67,17 @@ input.data[in_length-lc] = (unsigned) (i&0xff); } input.length = in_length; - assert (krb5_c_prf_length(0, enctype, &i) == 0); - assert (output.data = malloc(i)); - output.length = i; + assert (krb5_c_prf_length(0, enctype, &prfsz) == 0); + assert (output.data = malloc(prfsz)); + output.length = prfsz; assert (krb5_c_prf(0, key, &input, &output) == 0); free (input.data); input.data = NULL; } - for (; i > 0; i--) { + for (; prfsz > 0; prfsz--) { printf ("%02x", - (unsigned int) ((unsigned char ) output.data[output.length-i])); + (unsigned int) ((unsigned char ) output.data[output.length-prfsz])); } printf ("\n"); From raeburn at MIT.EDU Wed May 27 16:08:28 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Wed, 27 May 2009 16:08:28 -0400 Subject: svn rev #22393: trunk/src/lib/crypto/aes/ Message-ID: <200905272008.n4RK8SkP015763@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22393 Commit By: raeburn Log Message: Don't re-run test programs to recreate output every time 'check' is built. Changed Files: U trunk/src/lib/crypto/aes/Makefile.in Modified: trunk/src/lib/crypto/aes/Makefile.in =================================================================== --- trunk/src/lib/crypto/aes/Makefile.in 2009-05-27 20:03:46 UTC (rev 22392) +++ trunk/src/lib/crypto/aes/Makefile.in 2009-05-27 20:08:28 UTC (rev 22393) @@ -48,20 +48,22 @@ aes-gen: aes-gen.o $(GEN_OBJS) $(CC_LINK) -o aes-gen aes-gen.o $(GEN_OBJS) -run-aes-gen: aes-gen +kresults.out: aes-gen ./aes-gen > kresults.out -check:: run-aes-gen +check:: kresults.out aes-test: aes-test.$(OBJEXT) $(CRYPTO_DEPLIB) $(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) check:: run-aes-test -run-aes-test: aes-test +run-aes-test: vk.txt vt.txt + cmp vk.txt $(srcdir)/expect-vk.txt + cmp vt.txt $(srcdir)/expect-vt.txt +vk.txt: aes-test $(RUN_SETUP) $(VALGRIND) ./aes-test -k > vk.txt - cmp vk.txt $(srcdir)/expect-vk.txt +vt.txt: $(RUN_SETUP) $(VALGRIND) ./aes-test > vt.txt - cmp vt.txt $(srcdir)/expect-vt.txt clean-unix:: clean-libobjs From raeburn at MIT.EDU Wed May 27 17:21:29 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Wed, 27 May 2009 17:21:29 -0400 Subject: svn rev #22394: trunk/src/lib/crypto/aes/ Message-ID: <200905272121.n4RLLTZm020423@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22394 Commit By: raeburn Log Message: Revert last change. Changed Files: U trunk/src/lib/crypto/aes/Makefile.in Modified: trunk/src/lib/crypto/aes/Makefile.in =================================================================== --- trunk/src/lib/crypto/aes/Makefile.in 2009-05-27 20:08:28 UTC (rev 22393) +++ trunk/src/lib/crypto/aes/Makefile.in 2009-05-27 21:21:29 UTC (rev 22394) @@ -48,22 +48,20 @@ aes-gen: aes-gen.o $(GEN_OBJS) $(CC_LINK) -o aes-gen aes-gen.o $(GEN_OBJS) -kresults.out: aes-gen +run-aes-gen: aes-gen ./aes-gen > kresults.out -check:: kresults.out +check:: run-aes-gen aes-test: aes-test.$(OBJEXT) $(CRYPTO_DEPLIB) $(CC_LINK) -o aes-test aes-test.$(OBJEXT) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) check:: run-aes-test -run-aes-test: vk.txt vt.txt - cmp vk.txt $(srcdir)/expect-vk.txt - cmp vt.txt $(srcdir)/expect-vt.txt -vk.txt: aes-test +run-aes-test: aes-test $(RUN_SETUP) $(VALGRIND) ./aes-test -k > vk.txt -vt.txt: + cmp vk.txt $(srcdir)/expect-vk.txt $(RUN_SETUP) $(VALGRIND) ./aes-test > vt.txt + cmp vt.txt $(srcdir)/expect-vt.txt clean-unix:: clean-libobjs From raeburn at MIT.EDU Sat May 30 01:36:53 2009 From: raeburn at MIT.EDU (raeburn@MIT.EDU) Date: Sat, 30 May 2009 01:36:53 -0400 Subject: svn rev #22395: trunk/src/plugins/kdb/ldap/ldap_util/ Message-ID: <200905300536.n4U5arFj000878@drugstore.mit.edu> http://src.mit.edu/fisheye/changelog/krb5/?cs=22395 Commit By: raeburn Log Message: Fix minor bug in r21269 - wrong field name. Changed Files: U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c Modified: trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c =================================================================== --- trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-05-27 21:21:29 UTC (rev 22394) +++ trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c 2009-05-30 05:36:52 UTC (rev 22395) @@ -1725,7 +1725,7 @@ free(hex.data); goto cleanup; } - encrypted_passwd.data = (unsigned char *)str; + encrypted_passwd.value = (unsigned char *)str; encrypted_passwd.len = strlen(str); memset(hex.data, 0, hex.length); free(hex.data);