From rt-comment at krbdev.mit.edu Thu Jan 1 20:40:48 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 2 Jan 2009 01:40:48 +0000 (UTC) Subject: [krbdev.mit.edu #5947] SVN Commit In-Reply-To: Message-ID: Rewrite walk_rtree.c to handle hierarchical traversal better and to be less convoluted. Update test cases. http://src.mit.edu/fisheye/changelog/krb5/?cs=21659 Commit By: tlyu Revision: 21659 Changed Files: U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/walk_rtree.c U trunk/src/lib/krb5/krb/walktree-tests From rt-comment at krbdev.mit.edu Fri Jan 2 21:15:02 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sat, 3 Jan 2009 02:15:02 +0000 (UTC) Subject: [krbdev.mit.edu #3217] move strlen out of loop to improve performance In-Reply-To: Message-ID: Fixed at some indeterminate point in the past. From rt-comment at krbdev.mit.edu Fri Jan 2 21:37:46 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sat, 3 Jan 2009 02:37:46 +0000 (UTC) Subject: [krbdev.mit.edu #1632] testsuite should check kadmin -k In-Reply-To: Message-ID: We are deprecating the get_in_tkt APIs so this doesn't badly need doing. From rt-comment at krbdev.mit.edu Fri Jan 2 21:52:29 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sat, 3 Jan 2009 02:52:29 +0000 (UTC) Subject: [krbdev.mit.edu #6312] kg_ctx_internalize() gets some ordering wrong In-Reply-To: Message-ID: Return-Path: Received: from po9.mit.edu ([unix socket]) by po9.mit.edu (Cyrus v2.1.5) with LMTP; Wed, 24 Dec 2008 01:15:07 -0500 X-Sieve: CMU Sieve 2.2 Received: from central-city-carrier-station.mit.edu by po9.mit.edu (8.13.6/4.7) id mBO6F6Ym021388; Wed, 24 Dec 2008 01:15:06 -0500 (EST) Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by central-city-carrier-station.mit.edu (8.13.6/8.9.2) with ESMTP id mBO6Ev5i003458; Wed, 24 Dec 2008 01:14:58 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id mBO6EvDu005698; Wed, 24 Dec 2008 01:14:57 -0500 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id mBO6EvWU005692 for ; Wed, 24 Dec 2008 01:14:57 -0500 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id mBO6EVL1003975 for ; Wed, 24 Dec 2008 01:14:31 -0500 (EST) Received: from mail-fx0-f20.google.com (mail-fx0-f20.google.com [209.85.220.20]) by mit.edu (Spam Firewall) with ESMTP id B93BC123F6B3 for ; Wed, 24 Dec 2008 01:14:10 -0500 (EST) Received: by fxm13 with SMTP id 13so614100fxm.6 for ; Tue, 23 Dec 2008 22:14:10 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type; bh=cAnXg3u8XqTrzj7rHwMwElhj5+qzPXOII6aU7zZxkbQ=; b=f1Bl+NpLY9x7AlBbsd62E+tNnAAZ2/Z3b3jH/IYGoXAg9GB0R61fCALXBfDg4Zfcy9 7eElfqOwOqr8VMuq5H3pwvXXxwwjETkwvrMAQ6k5W77znBPiGSt3uFY75YDkZCE49CAB qrkv0hIBd2Yf1OuFcw5UxTXhPN5SfwdGRwoeI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=EERXjN49K2Cx+nLvFgQKHBsMgx5xU46Lq2zYtcAetn76CtW0LNX4B0zxBR4S520qv9 ExQx5GCNxu8Kgi9fS4/3GMfkUwNgNt+0KOcjhkYYWub/+HIEGWa5FIfXcjzBKw4hOU/z YgOD3wqtjPsmKVWZl3m8cYZ9pvqW2eA2iYY08= Received: by 10.181.33.8 with SMTP id l8mr3008733bkj.155.1230097741214; Tue, 23 Dec 2008 21:49:01 -0800 (PST) Received: by 10.181.22.19 with HTTP; Tue, 23 Dec 2008 21:49:01 -0800 (PST) Message-ID: <9549b1d80812232149k375130cic12bed9585025add at mail.gmail.com> Date: Wed, 24 Dec 2008 11:19:01 +0530 From: "Sachin Punadikar" To: krbdev at mit.edu Subject: Possible bug in "kg_ctx_internalize()" function in MIT 1.6.3 X-Spam-Score: -2.599 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Content-Filtered-By: Mailman/MimeDel 2.1.6 X-BeenThere: krbdev at mit.edu X-Mailman-Version: 2.1.6 Precedence: list List-Id: Kerberos Developers Mailing List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: krbdev-bounces at MIT.EDU Errors-To: krbdev-bounces at MIT.EDU Lines: 53 MIME-Version: 1.0 Hi, I think, people from krbdev mailing list might have answer to below Awaiting clarification. Thanks. - Sachin ---------- Forwarded message ---------- From: Sachin Punadikar Date: Mon, Dec 1, 2008 at 3:33 PM Subject: kg_ctx_internalize() function in MIT 1.6.3 To: kerberos at mit.edu Hello, I was going through the gssapi MIT krb1.6.3 code and I feel there is a possible bug in kg_ctx_internalize() function defined in src/lib/gssapi/krb5/ser_sctx.c file. As I understand the function should unpack entities in the same order in which they were packed by kg_ctx_externalize() function. But it misses the order while unpacking the last two structure variables as shown below. Since acceptor_subkey_cksumtype was packed before cred_rcache and also occurs before in the _krb5_gss_cred_id_rec structure definition, acceptor_subkey_cksumtype should be unpacked BEFORE cred_rcache, else the values will get swapped. Current Code in kg_ctx_internalize() function: if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cred_rcache = ibuf; if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->acceptor_subkey_cksumtype = ibuf; Proposed Code in kg_ctx_internalize() function with change in sequence while unpacking: if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->acceptor_subkey_cksumtype = ibuf; if (!kret) kret = krb5_ser_unpack_int32(&ibuf, &bp, &remain); ctx->cred_rcache = ibuf; Kindly let me know if this is valid. - Sachin _______________________________________________ krbdev mailing list krbdev at mit.edu https://mailman.mit.edu/mailman/listinfo/krbdev From rt-comment at krbdev.mit.edu Fri Jan 2 22:02:56 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sat, 3 Jan 2009 03:02:56 +0000 (UTC) Subject: [krbdev.mit.edu #6312] kg_ctx_internalize() gets some ordering wrong In-Reply-To: Message-ID: r21558 http://src.mit.edu/fisheye/changelog/krb5/branches/mskrb-integ?cs=21558 Contains a fix but it is tied to some other work that Luke is doing. From rt-comment at krbdev.mit.edu Sat Jan 3 18:20:09 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Sat, 3 Jan 2009 23:20:09 +0000 (UTC) Subject: [krbdev.mit.edu #6313] SVN Commit In-Reply-To: Message-ID: The mskrb-integ branch includes support for the following projects: Projects/Aliases * Projects/PAC and principal APIs * Projects/AEAD encryption API * Projects/GSSAPI DCE * Projects/RFC 3244 In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions. In the KDC it includes support for protocol transition, constrained delegation and a new authorization data interface. The old authorization data interface is also supported. This commit merges the mskrb-integ branch on to the trunk. Additional review and testing is required. Merge commit 'mskrb-integ' into trunk http://src.mit.edu/fisheye/changelog/krb5/?cs=21690 Commit By: hartmans Revision: 21690 Changed Files: U trunk/README U trunk/doc/copyright.texinfo U trunk/src/Makefile.in U trunk/src/appl/gssftp/ftp/Makefile.in U trunk/src/appl/gssftp/ftpd/Makefile.in U trunk/src/clients/kinit/kinit.c U trunk/src/clients/kvno/kvno.c U trunk/src/config/pre.in A trunk/src/config-files/mech U trunk/src/configure.in U trunk/src/include/Makefile.in U trunk/src/include/k5-int.h U trunk/src/include/k5-plugin.h A trunk/src/include/k5-unicode.h A trunk/src/include/k5-utf8.h U trunk/src/include/kdb.h A trunk/src/include/kdb_ext.h U trunk/src/include/krb5/authdata_plugin.h U trunk/src/include/krb5/krb5.hin U trunk/src/include/osconf.hin U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/passwd/Makefile.in U trunk/src/kadmin/server/Makefile.in U trunk/src/kadmin/server/misc.c U trunk/src/kadmin/server/misc.h A trunk/src/kadmin/server/network.c U trunk/src/kadmin/server/ovsec_kadmd.c U trunk/src/kadmin/server/schpw.c U trunk/src/kadmin/testing/util/Makefile.in U trunk/src/kdc/Makefile.in U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/extern.c U trunk/src/kdc/extern.h U trunk/src/kdc/kdc_authdata.c U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h U trunk/src/kdc/main.c U trunk/src/kdc/network.c U trunk/src/kdc/policy.c U trunk/src/lib/crypto/Makefile.in U trunk/src/lib/crypto/aead.c U trunk/src/lib/crypto/arcfour/Makefile.in U trunk/src/lib/crypto/arcfour/arcfour_aead.c U trunk/src/lib/crypto/arcfour/arcfour_s2k.c U trunk/src/lib/crypto/cksumtypes.c U trunk/src/lib/crypto/des/Makefile.in U trunk/src/lib/crypto/des/d3_aead.c U trunk/src/lib/crypto/des/des_int.h A trunk/src/lib/crypto/des/f_aead.c U trunk/src/lib/crypto/dk/checksum.c U trunk/src/lib/crypto/dk/dk.h U trunk/src/lib/crypto/dk/dk_aead.c U trunk/src/lib/crypto/enc_provider/Makefile.in U trunk/src/lib/crypto/enc_provider/aes.c U trunk/src/lib/crypto/enc_provider/des.c U trunk/src/lib/crypto/enc_provider/enc_provider.h U trunk/src/lib/crypto/etypes.c U trunk/src/lib/crypto/hmac.c U trunk/src/lib/crypto/keyhash_provider/Makefile.in U trunk/src/lib/crypto/keyhash_provider/keyhash_provider.h A trunk/src/lib/crypto/keyhash_provider/md5_hmac.c U trunk/src/lib/crypto/libk5crypto.exports U trunk/src/lib/crypto/make_checksum.c U trunk/src/lib/crypto/make_checksum_iov.c U trunk/src/lib/crypto/raw/Makefile.in U trunk/src/lib/crypto/raw/raw.h A trunk/src/lib/crypto/raw/raw_aead.c U trunk/src/lib/crypto/verify_checksum.c U trunk/src/lib/crypto/verify_checksum_iov.c U trunk/src/lib/gssapi/Makefile.in U trunk/src/lib/gssapi/generic/Makefile.in U trunk/src/lib/gssapi/generic/disp_com_err_status.c U trunk/src/lib/gssapi/generic/gssapi.hin U trunk/src/lib/gssapi/generic/gssapiP_generic.h A trunk/src/lib/gssapi/generic/gssapi_ext.h U trunk/src/lib/gssapi/generic/gssapi_generic.c U trunk/src/lib/gssapi/generic/gssapi_generic.h A trunk/src/lib/gssapi/generic/oid_ops.c A trunk/src/lib/gssapi/generic/util_buffer_set.c U trunk/src/lib/gssapi/generic/util_token.c U trunk/src/lib/gssapi/generic/util_validate.c D trunk/src/lib/gssapi/gss_libinit.c D trunk/src/lib/gssapi/gss_libinit.h U trunk/src/lib/gssapi/krb5/Makefile.in U trunk/src/lib/gssapi/krb5/accept_sec_context.c U trunk/src/lib/gssapi/krb5/acquire_cred.c U trunk/src/lib/gssapi/krb5/canon_name.c U trunk/src/lib/gssapi/krb5/context_time.c U trunk/src/lib/gssapi/krb5/copy_ccache.c U trunk/src/lib/gssapi/krb5/delete_sec_context.c U trunk/src/lib/gssapi/krb5/disp_status.c U trunk/src/lib/gssapi/krb5/export_name.c U trunk/src/lib/gssapi/krb5/export_sec_context.c U trunk/src/lib/gssapi/krb5/get_tkt_flags.c U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h U trunk/src/lib/gssapi/krb5/gssapi_krb5.c U trunk/src/lib/gssapi/krb5/gssapi_krb5.hin U trunk/src/lib/gssapi/krb5/import_sec_context.c U trunk/src/lib/gssapi/krb5/indicate_mechs.c U trunk/src/lib/gssapi/krb5/init_sec_context.c U trunk/src/lib/gssapi/krb5/inq_context.c U trunk/src/lib/gssapi/krb5/inq_cred.c U trunk/src/lib/gssapi/krb5/inq_names.c U trunk/src/lib/gssapi/krb5/k5seal.c A trunk/src/lib/gssapi/krb5/k5sealiov.c U trunk/src/lib/gssapi/krb5/k5sealv3.c A trunk/src/lib/gssapi/krb5/k5sealv3iov.c U trunk/src/lib/gssapi/krb5/k5unseal.c A trunk/src/lib/gssapi/krb5/k5unsealiov.c U trunk/src/lib/gssapi/krb5/krb5_gss_glue.c U trunk/src/lib/gssapi/krb5/lucid_context.c U trunk/src/lib/gssapi/krb5/seal.c U trunk/src/lib/gssapi/krb5/ser_sctx.c U trunk/src/lib/gssapi/krb5/set_allowable_enctypes.c U trunk/src/lib/gssapi/krb5/set_ccache.c U trunk/src/lib/gssapi/krb5/sign.c U trunk/src/lib/gssapi/krb5/unseal.c U trunk/src/lib/gssapi/krb5/util_cksum.c U trunk/src/lib/gssapi/krb5/util_crypt.c U trunk/src/lib/gssapi/krb5/util_seqnum.c U trunk/src/lib/gssapi/krb5/verify.c U trunk/src/lib/gssapi/krb5/wrap_size_limit.c U trunk/src/lib/gssapi/libgssapi_krb5.exports U trunk/src/lib/gssapi/mechglue/Makefile.in U trunk/src/lib/gssapi/mechglue/g_accept_sec_context.c U trunk/src/lib/gssapi/mechglue/g_acquire_cred.c A trunk/src/lib/gssapi/mechglue/g_buffer_set.c U trunk/src/lib/gssapi/mechglue/g_compare_name.c A trunk/src/lib/gssapi/mechglue/g_complete_auth_token.c U trunk/src/lib/gssapi/mechglue/g_context_time.c U trunk/src/lib/gssapi/mechglue/g_delete_sec_context.c U trunk/src/lib/gssapi/mechglue/g_dsp_status.c U trunk/src/lib/gssapi/mechglue/g_exp_sec_context.c U trunk/src/lib/gssapi/mechglue/g_export_name.c A trunk/src/lib/gssapi/mechglue/g_export_name_object.c U trunk/src/lib/gssapi/mechglue/g_glue.c U trunk/src/lib/gssapi/mechglue/g_imp_name.c A trunk/src/lib/gssapi/mechglue/g_imp_name_object.c U trunk/src/lib/gssapi/mechglue/g_imp_sec_context.c U trunk/src/lib/gssapi/mechglue/g_init_sec_context.c U trunk/src/lib/gssapi/mechglue/g_initialize.c U trunk/src/lib/gssapi/mechglue/g_inq_context.c A trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c U trunk/src/lib/gssapi/mechglue/g_inq_cred.c A trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c U trunk/src/lib/gssapi/mechglue/g_inq_names.c A trunk/src/lib/gssapi/mechglue/g_mech_invoke.c U trunk/src/lib/gssapi/mechglue/g_oid_ops.c U trunk/src/lib/gssapi/mechglue/g_process_context.c U trunk/src/lib/gssapi/mechglue/g_rel_cred.c U trunk/src/lib/gssapi/mechglue/g_rel_name.c U trunk/src/lib/gssapi/mechglue/g_rel_oid_set.c U trunk/src/lib/gssapi/mechglue/g_seal.c A trunk/src/lib/gssapi/mechglue/g_set_context_option.c A trunk/src/lib/gssapi/mechglue/g_set_cred_option.c U trunk/src/lib/gssapi/mechglue/g_sign.c U trunk/src/lib/gssapi/mechglue/g_store_cred.c U trunk/src/lib/gssapi/mechglue/g_unseal.c A trunk/src/lib/gssapi/mechglue/g_unwrap_aead.c A trunk/src/lib/gssapi/mechglue/g_unwrap_iov.c A trunk/src/lib/gssapi/mechglue/g_userok.c U trunk/src/lib/gssapi/mechglue/g_verify.c A trunk/src/lib/gssapi/mechglue/g_wrap_aead.c A trunk/src/lib/gssapi/mechglue/g_wrap_iov.c A trunk/src/lib/gssapi/mechglue/gssd_pname_to_uid.c D trunk/src/lib/gssapi/mechglue/mech.conf U trunk/src/lib/gssapi/mechglue/mechglue.h U trunk/src/lib/gssapi/mechglue/mglueP.h D trunk/src/lib/gssapi/mechglue/oid_ops.c U trunk/src/lib/gssapi/spnego/Makefile.in U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h A trunk/src/lib/gssapi/spnego/mech_spnego.exports U trunk/src/lib/gssapi/spnego/spnego_mech.c U trunk/src/lib/kadm5/Makefile.in U trunk/src/lib/kadm5/clnt/Makefile.in U trunk/src/lib/kadm5/srv/Makefile.in U trunk/src/lib/kadm5/srv/libkadm5srv.exports U trunk/src/lib/kadm5/srv/server_acl.c U trunk/src/lib/kadm5/srv/server_acl.h U trunk/src/lib/kadm5/srv/server_dict.c U trunk/src/lib/kadm5/srv/svr_principal.c U trunk/src/lib/kadm5/unit-test/Makefile.in U trunk/src/lib/kdb/Makefile.in U trunk/src/lib/kdb/decrypt_key.c U trunk/src/lib/kdb/encrypt_key.c U trunk/src/lib/kdb/kdb5.c U trunk/src/lib/kdb/kdb5.h U trunk/src/lib/kdb/libkdb5.exports U trunk/src/lib/krb5/Makefile.in U trunk/src/lib/krb5/asn.1/asn1_decode.c U trunk/src/lib/krb5/asn.1/asn1_decode.h U trunk/src/lib/krb5/asn.1/asn1_encode.c U trunk/src/lib/krb5/asn.1/asn1_encode.h U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_decode.h U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/asn.1/krbasn1.h U trunk/src/lib/krb5/error_tables/krb5_err.et U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/addr_srch.c U trunk/src/lib/krb5/krb/auth_con.c U trunk/src/lib/krb5/krb/auth_con.h U trunk/src/lib/krb5/krb/bld_princ.c U trunk/src/lib/krb5/krb/copy_auth.c U trunk/src/lib/krb5/krb/gc_frm_kdc.c U trunk/src/lib/krb5/krb/gc_via_tkt.c U trunk/src/lib/krb5/krb/gen_subkey.c U trunk/src/lib/krb5/krb/get_creds.c U trunk/src/lib/krb5/krb/get_in_tkt.c U trunk/src/lib/krb5/krb/gic_opt.c U trunk/src/lib/krb5/krb/int-proto.h U trunk/src/lib/krb5/krb/kfree.c U trunk/src/lib/krb5/krb/mk_cred.c U trunk/src/lib/krb5/krb/mk_rep.c U trunk/src/lib/krb5/krb/mk_req_ext.c A trunk/src/lib/krb5/krb/pac.c U trunk/src/lib/krb5/krb/parse.c U trunk/src/lib/krb5/krb/princ_comp.c U trunk/src/lib/krb5/krb/rd_priv.c U trunk/src/lib/krb5/krb/rd_rep.c U trunk/src/lib/krb5/krb/rd_req.c U trunk/src/lib/krb5/krb/rd_req_dec.c U trunk/src/lib/krb5/krb/serialize.c U trunk/src/lib/krb5/krb/unparse.c U trunk/src/lib/krb5/krb/valid_times.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/os/accessor.c U trunk/src/lib/krb5/os/init_os_ctx.c U trunk/src/lib/krb5/os/sn2princ.c U trunk/src/lib/krb5/os/timeofday.c A trunk/src/lib/krb5/unicode/ A trunk/src/lib/krb5/unicode/CompositionExclusions.txt A trunk/src/lib/krb5/unicode/Makefile.in A trunk/src/lib/krb5/unicode/UCD-Terms A trunk/src/lib/krb5/unicode/UnicodeData.txt A trunk/src/lib/krb5/unicode/ucdata/ A trunk/src/lib/krb5/unicode/ucdata/MUTTUCData.txt A trunk/src/lib/krb5/unicode/ucdata/README A trunk/src/lib/krb5/unicode/ucdata/api.txt A trunk/src/lib/krb5/unicode/ucdata/bidiapi.txt A trunk/src/lib/krb5/unicode/ucdata/format.txt A trunk/src/lib/krb5/unicode/ucdata/ucdata.c A trunk/src/lib/krb5/unicode/ucdata/ucdata.h A trunk/src/lib/krb5/unicode/ucdata/ucdata.man A trunk/src/lib/krb5/unicode/ucdata/ucgendat.c A trunk/src/lib/krb5/unicode/ucdata/ucpgba.c A trunk/src/lib/krb5/unicode/ucdata/ucpgba.h A trunk/src/lib/krb5/unicode/ucdata/ucpgba.man A trunk/src/lib/krb5/unicode/ucdata/uctable.h A trunk/src/lib/krb5/unicode/ucstr.c A trunk/src/lib/krb5/unicode/ure/ A trunk/src/lib/krb5/unicode/ure/README A trunk/src/lib/krb5/unicode/ure/ure.c A trunk/src/lib/krb5/unicode/ure/ure.h A trunk/src/lib/krb5/unicode/ure/urestubs.c A trunk/src/lib/krb5/unicode/utbm/ A trunk/src/lib/krb5/unicode/utbm/README A trunk/src/lib/krb5/unicode/utbm/utbm.c A trunk/src/lib/krb5/unicode/utbm/utbm.h A trunk/src/lib/krb5/unicode/utbm/utbmstub.c U trunk/src/lib/rpc/Makefile.in U trunk/src/patchlevel.h U trunk/src/plugins/authdata/greet/greet_auth.c U trunk/src/plugins/kdb/db2/Makefile.in U trunk/src/plugins/kdb/db2/db2_exp.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U trunk/src/util/ss/Makefile.in U trunk/src/util/support/Makefile.in U trunk/src/util/support/libkrb5support-fixed.exports A trunk/src/util/support/utf8.c A trunk/src/util/support/utf8_conv.c From rt-comment at krbdev.mit.edu Mon Jan 5 11:21:30 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 5 Jan 2009 16:21:30 +0000 (UTC) Subject: [krbdev.mit.edu #514] KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt In-Reply-To: Message-ID: Irrelevant due to krb4 removal. From rt-comment at krbdev.mit.edu Mon Jan 5 13:29:22 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 5 Jan 2009 18:29:22 +0000 (UTC) Subject: [krbdev.mit.edu #6314] python configuration In-Reply-To: Message-ID: The Python-based sample service-location plugin was hard-coded to use Python 2.3, and now handles 2.5 as well. It should instead look for the python-config program, and use whatever is installed, with the appropriate compilation and linker options for that version. From rt-comment at krbdev.mit.edu Mon Jan 5 15:28:08 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 5 Jan 2009 20:28:08 +0000 (UTC) Subject: [krbdev.mit.edu #6315] SVN Commit In-Reply-To: Message-ID: Move automatically-generated dependencies into separate files in the source tree, and take the data out of Makefile.in. Keep the "make depend" rules for stripping out the dependencies from Makefile.in, in case some optional directories were missed, but everything that builds on my UNIX build has been converted. (Converting a directory just requires creating an empty "deps" file so that config.status can build the makefile, and then later running "make depend" in that directory to get the correct content for it.) Change configure scripts to incorporate the "deps" file when building each Makefile. This change requires the existence of a file "deps" in each source directory where we build a makefile, even if there are no sources for which to compute dependencies; a switch to GNU make would let us conditionalize that, but we can assess that later. Update dependencies for the generate Makefile itself to list the deps file. This will also require some minor tweaking of the Windows build, to make it incorporate the new deps file. http://src.mit.edu/fisheye/changelog/krb5/?cs=21701 Commit By: raeburn Revision: 21701 Changed Files: U trunk/src/aclocal.m4 U trunk/src/appl/bsd/Makefile.in A trunk/src/appl/bsd/deps A trunk/src/appl/deps U trunk/src/appl/gss-sample/Makefile.in A trunk/src/appl/gss-sample/deps A trunk/src/appl/gssftp/deps U trunk/src/appl/gssftp/ftp/Makefile.in A trunk/src/appl/gssftp/ftp/deps U trunk/src/appl/gssftp/ftpd/Makefile.in A trunk/src/appl/gssftp/ftpd/deps U trunk/src/appl/libpty/Makefile.in A trunk/src/appl/libpty/deps A trunk/src/appl/sample/deps A trunk/src/appl/sample/sclient/deps A trunk/src/appl/sample/sserver/deps A trunk/src/appl/simple/client/deps A trunk/src/appl/simple/deps A trunk/src/appl/simple/server/deps A trunk/src/appl/telnet/deps U trunk/src/appl/telnet/libtelnet/Makefile.in A trunk/src/appl/telnet/libtelnet/deps U trunk/src/appl/telnet/telnet/Makefile.in A trunk/src/appl/telnet/telnet/deps U trunk/src/appl/telnet/telnetd/Makefile.in A trunk/src/appl/telnet/telnetd/deps A trunk/src/appl/user_user/deps A trunk/src/clients/deps U trunk/src/clients/kdestroy/Makefile.in A trunk/src/clients/kdestroy/deps U trunk/src/clients/kinit/Makefile.in A trunk/src/clients/kinit/deps U trunk/src/clients/klist/Makefile.in A trunk/src/clients/klist/deps U trunk/src/clients/kpasswd/Makefile.in A trunk/src/clients/kpasswd/deps U trunk/src/clients/ksu/Makefile.in A trunk/src/clients/ksu/deps U trunk/src/clients/kvno/Makefile.in A trunk/src/clients/kvno/deps U trunk/src/config/post.in A trunk/src/config-files/deps A trunk/src/deps A trunk/src/gen-manpages/deps A trunk/src/include/deps U trunk/src/kadmin/cli/Makefile.in A trunk/src/kadmin/cli/deps U trunk/src/kadmin/dbutil/Makefile.in A trunk/src/kadmin/dbutil/deps A trunk/src/kadmin/deps U trunk/src/kadmin/ktutil/Makefile.in A trunk/src/kadmin/ktutil/deps U trunk/src/kadmin/passwd/Makefile.in A trunk/src/kadmin/passwd/deps A trunk/src/kadmin/passwd/unit-test/deps U trunk/src/kadmin/server/Makefile.in A trunk/src/kadmin/server/deps A trunk/src/kadmin/testing/deps A trunk/src/kadmin/testing/scripts/deps U trunk/src/kadmin/testing/util/Makefile.in A trunk/src/kadmin/testing/util/deps U trunk/src/kdc/Makefile.in A trunk/src/kdc/deps U trunk/src/lib/apputils/Makefile.in A trunk/src/lib/apputils/deps U trunk/src/lib/crypto/Makefile.in U trunk/src/lib/crypto/aes/Makefile.in A trunk/src/lib/crypto/aes/deps U trunk/src/lib/crypto/arcfour/Makefile.in A trunk/src/lib/crypto/arcfour/deps U trunk/src/lib/crypto/crc32/Makefile.in A trunk/src/lib/crypto/crc32/deps A trunk/src/lib/crypto/deps U trunk/src/lib/crypto/des/Makefile.in A trunk/src/lib/crypto/des/deps U trunk/src/lib/crypto/dk/Makefile.in A trunk/src/lib/crypto/dk/deps U trunk/src/lib/crypto/enc_provider/Makefile.in A trunk/src/lib/crypto/enc_provider/deps U trunk/src/lib/crypto/hash_provider/Makefile.in A trunk/src/lib/crypto/hash_provider/deps U trunk/src/lib/crypto/keyhash_provider/Makefile.in A trunk/src/lib/crypto/keyhash_provider/deps U trunk/src/lib/crypto/md4/Makefile.in A trunk/src/lib/crypto/md4/deps U trunk/src/lib/crypto/md5/Makefile.in A trunk/src/lib/crypto/md5/deps U trunk/src/lib/crypto/old/Makefile.in A trunk/src/lib/crypto/old/deps U trunk/src/lib/crypto/raw/Makefile.in A trunk/src/lib/crypto/raw/deps U trunk/src/lib/crypto/sha1/Makefile.in A trunk/src/lib/crypto/sha1/deps U trunk/src/lib/crypto/yarrow/Makefile.in A trunk/src/lib/crypto/yarrow/deps A trunk/src/lib/deps U trunk/src/lib/gssapi/Makefile.in A trunk/src/lib/gssapi/deps U trunk/src/lib/gssapi/generic/Makefile.in A trunk/src/lib/gssapi/generic/deps U trunk/src/lib/gssapi/krb5/Makefile.in A trunk/src/lib/gssapi/krb5/deps U trunk/src/lib/gssapi/mechglue/Makefile.in A trunk/src/lib/gssapi/mechglue/deps U trunk/src/lib/gssapi/spnego/Makefile.in A trunk/src/lib/gssapi/spnego/deps U trunk/src/lib/kadm5/Makefile.in U trunk/src/lib/kadm5/clnt/Makefile.in A trunk/src/lib/kadm5/clnt/deps A trunk/src/lib/kadm5/deps U trunk/src/lib/kadm5/srv/Makefile.in A trunk/src/lib/kadm5/srv/deps U trunk/src/lib/kadm5/unit-test/Makefile.in A trunk/src/lib/kadm5/unit-test/deps U trunk/src/lib/kdb/Makefile.in A trunk/src/lib/kdb/deps U trunk/src/lib/krb5/Makefile.in U trunk/src/lib/krb5/asn.1/Makefile.in A trunk/src/lib/krb5/asn.1/deps U trunk/src/lib/krb5/ccache/Makefile.in A trunk/src/lib/krb5/ccache/deps A trunk/src/lib/krb5/deps U trunk/src/lib/krb5/error_tables/Makefile.in A trunk/src/lib/krb5/error_tables/deps U trunk/src/lib/krb5/keytab/Makefile.in A trunk/src/lib/krb5/keytab/deps U trunk/src/lib/krb5/krb/Makefile.in A trunk/src/lib/krb5/krb/deps U trunk/src/lib/krb5/os/Makefile.in A trunk/src/lib/krb5/os/deps U trunk/src/lib/krb5/rcache/Makefile.in A trunk/src/lib/krb5/rcache/deps U trunk/src/lib/krb5/unicode/Makefile.in A trunk/src/lib/krb5/unicode/deps U trunk/src/lib/rpc/Makefile.in A trunk/src/lib/rpc/deps U trunk/src/lib/rpc/unit-test/Makefile.in A trunk/src/lib/rpc/unit-test/deps U trunk/src/plugins/authdata/greet/Makefile.in A trunk/src/plugins/authdata/greet/deps U trunk/src/plugins/kdb/db2/Makefile.in A trunk/src/plugins/kdb/db2/deps U trunk/src/plugins/kdb/db2/libdb2/btree/Makefile.in A trunk/src/plugins/kdb/db2/libdb2/btree/deps U trunk/src/plugins/kdb/db2/libdb2/db/Makefile.in A trunk/src/plugins/kdb/db2/libdb2/db/deps A trunk/src/plugins/kdb/db2/libdb2/deps U trunk/src/plugins/kdb/db2/libdb2/hash/Makefile.in A trunk/src/plugins/kdb/db2/libdb2/hash/deps U trunk/src/plugins/kdb/db2/libdb2/mpool/Makefile.in A trunk/src/plugins/kdb/db2/libdb2/mpool/deps U trunk/src/plugins/kdb/db2/libdb2/recno/Makefile.in A trunk/src/plugins/kdb/db2/libdb2/recno/deps A trunk/src/plugins/kdb/db2/libdb2/test/deps U trunk/src/plugins/kdb/ldap/Makefile.in A trunk/src/plugins/kdb/ldap/deps A trunk/src/plugins/kdb/ldap/ldap_util/deps U trunk/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in A trunk/src/plugins/kdb/ldap/libkdb_ldap/deps U trunk/src/plugins/locate/python/Makefile.in A trunk/src/plugins/locate/python/deps U trunk/src/plugins/preauth/cksum_body/Makefile.in A trunk/src/plugins/preauth/cksum_body/deps U trunk/src/plugins/preauth/pkinit/Makefile.in A trunk/src/plugins/preauth/pkinit/deps U trunk/src/plugins/preauth/wpse/Makefile.in A trunk/src/plugins/preauth/wpse/deps U trunk/src/slave/Makefile.in A trunk/src/slave/deps U trunk/src/tests/asn.1/Makefile.in A trunk/src/tests/asn.1/deps U trunk/src/tests/create/Makefile.in A trunk/src/tests/create/deps U trunk/src/tests/dejagnu/Makefile.in A trunk/src/tests/dejagnu/deps A trunk/src/tests/deps U trunk/src/tests/gss-threads/Makefile.in A trunk/src/tests/gss-threads/deps U trunk/src/tests/gssapi/Makefile.in A trunk/src/tests/gssapi/deps U trunk/src/tests/hammer/Makefile.in A trunk/src/tests/hammer/deps U trunk/src/tests/misc/Makefile.in A trunk/src/tests/misc/deps U trunk/src/tests/mkeystash_compat/Makefile.in A trunk/src/tests/mkeystash_compat/deps U trunk/src/tests/resolve/Makefile.in A trunk/src/tests/resolve/deps U trunk/src/tests/shlib/Makefile.in A trunk/src/tests/shlib/deps U trunk/src/tests/threads/Makefile.in A trunk/src/tests/threads/deps U trunk/src/tests/verify/Makefile.in A trunk/src/tests/verify/deps U trunk/src/util/collected-client-lib/Makefile.in A trunk/src/util/collected-client-lib/deps U trunk/src/util/depfix.pl A trunk/src/util/deps U trunk/src/util/et/Makefile.in A trunk/src/util/et/deps U trunk/src/util/profile/Makefile.in A trunk/src/util/profile/deps A trunk/src/util/send-pr/deps U trunk/src/util/ss/Makefile.in A trunk/src/util/ss/deps U trunk/src/util/support/Makefile.in A trunk/src/util/support/deps From rt-comment at krbdev.mit.edu Mon Jan 5 18:29:42 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 5 Jan 2009 23:29:42 +0000 (UTC) Subject: [krbdev.mit.edu #6315] SVN Commit In-Reply-To: Message-ID: Oops. Don't include openssl install paths from my local machine. Thanks to Ezra for noticing so quickly. http://src.mit.edu/fisheye/changelog/krb5/?cs=21706 Commit By: raeburn Revision: 21706 Changed Files: U trunk/src/plugins/preauth/pkinit/deps From rt-comment at krbdev.mit.edu Tue Jan 6 11:29:07 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Tue, 6 Jan 2009 16:29:07 +0000 (UTC) Subject: [krbdev.mit.edu #6316] KIM GC problem on 64-bit In-Reply-To: Message-ID: New garbage collector should be implemented for KIM. Track# 6399259 From rt-comment at krbdev.mit.edu Tue Jan 6 14:24:08 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Tue, 6 Jan 2009 19:24:08 +0000 (UTC) Subject: [krbdev.mit.edu #6300] krb5_get_init_creds_password hangs as DNS time-out is too long In-Reply-To: Message-ID: Track# 6364719 From rt-comment at krbdev.mit.edu Tue Jan 6 15:47:27 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 6 Jan 2009 20:47:27 +0000 (UTC) Subject: [krbdev.mit.edu #6302] kadmind mem leaks In-Reply-To: Message-ID: r21708 removes the bogus null checks of the server handle. r21709 cleans up the leaks of the server handle. (I forgot to put RT ticket headers in both commits; apologies.) From rt-comment at krbdev.mit.edu Tue Jan 6 18:45:14 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 6 Jan 2009 23:45:14 +0000 (UTC) Subject: [krbdev.mit.edu #5954] SVN Commit In-Reply-To: Message-ID: Ksu should call krb5_verify_init_creds instead of using its own function. This was prompted by a desire for ksu to work without a domain_realm mapping for the local server, but the duplication of code is bad anyway. http://src.mit.edu/fisheye/changelog/krb5/?cs=21714 Commit By: hartmans Revision: 21714 Changed Files: U trunk/src/clients/ksu/krb_auth_su.c From rt-comment at krbdev.mit.edu Tue Jan 6 18:45:21 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 6 Jan 2009 23:45:21 +0000 (UTC) Subject: [krbdev.mit.edu #5954] SVN Commit In-Reply-To: Message-ID: Remove ksu's own implementation of krb5_verify_init_creds now that it is not used. http://src.mit.edu/fisheye/changelog/krb5/?cs=21715 Commit By: hartmans Revision: 21715 Changed Files: U trunk/src/clients/ksu/krb_auth_su.c From rt-comment at krbdev.mit.edu Tue Jan 6 18:45:27 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 6 Jan 2009 23:45:27 +0000 (UTC) Subject: [krbdev.mit.edu #5954] SVN Commit In-Reply-To: Message-ID: Add support for referral null realms and use the default realm as krb5_rd_req_extended does http://src.mit.edu/fisheye/changelog/krb5/?cs=21716 Commit By: hartmans Revision: 21716 Changed Files: U trunk/src/lib/krb5/krb/vfy_increds.c From rt-comment at krbdev.mit.edu Wed Jan 7 15:26:25 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 7 Jan 2009 20:26:25 +0000 (UTC) Subject: [krbdev.mit.edu #6301] kinit -k interacts poorly with preauth_required [rdar 6358140] In-Reply-To: Message-ID: actually a problem concerning the handling of mandatory preauth in kinit -k From rt-comment at krbdev.mit.edu Wed Jan 7 16:05:54 2009 From: rt-comment at krbdev.mit.edu (Roland C. Dowdeswell via RT) Date: Wed, 7 Jan 2009 21:05:54 +0000 (UTC) Subject: [krbdev.mit.edu #6317] select(2) if no fds < FD_SETSIZE are available. In-Reply-To: Message-ID: sendto_kdc.c uses select(2) and does not check to see if the fds that it obtains are less than FD_SETSIZE. This can cause undefined behaviour as FD_SET() does not do bounds checking. Although, this limitation should probably be addressed by using Niels Provos' libevent, I provide a small patch which will: 1. return reasonable errors if the size is returned, and 2. increase the limit to DESIRED_FD_SETSIZE which I define to be 8192. I think that (1) or something like it should be applied. (2) on the other hand is quite inelegant. A better approach should be used, I just in case it is viewed to be a reasonable short term fix. I call the inability to obtain a socket < FD_SETSIZE a permanent error which we can also change. It seemed at the time best to simply fail quickly w/o core dumping. I also return EMFILE in this case so that the error message returned is slightly more descriptive than KRB5_KDC_UNREACH. You may very well be able to reach KDCs, if you just had a few more fds.. Index: sendto_kdc.c =================================================================== RCS file: /ms/dev/kerberos/mitkrb5/cvs-dirs/mitkrb5-1.4/mitkrb5/src/lib/krb5/os/sendto_kdc.c,v retrieving revision 1.1.1.2 diff -u -r1.1.1.2 sendto_kdc.c --- sendto_kdc.c 16 Aug 2005 19:52:03 -0000 1.1.1.2 +++ sendto_kdc.c 7 Jan 2009 17:21:02 -0000 @@ -28,6 +28,25 @@ * as necessary. */ +/* + * We start out by upping the size of FD_SETSIZE. On rational operating + * systems, this is simple. One simply #defines FD_SETSIZE before including + * anything else. Linux of course does not support this because they are + * better than that. So, we special case things... + */ + +#define DESIRED_FD_SETSIZE 8192 +#ifndef linux +#define FD_SETSIZE DESIRED_FD_SETSIZE +#else +#include +#if (__GLIBC__ > 2) || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 2) +#include +#undef __FD_SETSIZE +#define __FD_SETSIZE DESIRED_FD_SETSIZE +#endif +#endif + #define NEED_SOCKETS #define NEED_LOWLEVEL_IO #include "fake-addrinfo.h" @@ -572,8 +591,16 @@ dprint("start_connection(@%p)\ngetting %s socket in family %d...", state, ai->ai_socktype == SOCK_STREAM ? "stream" : "dgram", ai->ai_family); fd = socket(ai->ai_family, ai->ai_socktype, 0); + if (fd >= FD_SETSIZE) { + close(fd); + state->err = EMFILE; + state->state = FAILED; /* XXXrcd: hmmm, is this permanent...? */ + dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); + return -1; /* try other hosts */ + } if (fd == INVALID_SOCKET) { state->err = SOCKET_ERRNO; + state->state = FAILED; /* XXXrcd: hmmm, is this permanent...? */ dprint("socket: %m creating with af %d\n", state->err, ai->ai_family); return -1; /* try other hosts */ } @@ -1130,6 +1157,9 @@ if (sel_state->nfds == 0) { /* No addresses? */ retval = KRB5_KDC_UNREACH; + for (host = 0; host < n_conns; host++) + if (conns[host].err == EMFILE) + retval = EMFILE; goto egress; } if (e == 0 || winning_conn < 0) { -- Roland Dowdeswell http://www.Imrryr.ORG/~elric/ From rt-comment at krbdev.mit.edu Wed Jan 7 16:16:21 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 7 Jan 2009 21:16:21 +0000 (UTC) Subject: [krbdev.mit.edu #6318] off-path TGT referral patch [rdar 3679887] In-Reply-To: Message-ID: Path from Tom Yu, mudged by Love to fit to modern MIT Kerberos. Also, fixed a un-deref on error. diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c 2008-11-07 11:25:56.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/krb5/krb/gc_frm_kdc.c 2008-11-24 20:45:48.000000000 -0800 @@ -92,6 +92,7 @@ krb5_creds *cur_cc_tgt; krb5_creds *nxt_cc_tgt; unsigned int ntgts; + krb5_creds *offpath_tgt; }; /* @@ -168,7 +169,11 @@ static krb5_error_code do_traversal(krb5_context ctx, krb5_ccache, krb5_principal client, krb5_principal server, krb5_creds *out_cc_tgt, krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts); + krb5_creds ***out_kdc_tgts, int *tgtptr_isoffpath); +static krb5_error_code chase_offpath(struct tr_state *, krb5_principal, + krb5_principal); +static krb5_error_code offpath_loopchk(struct tr_state *ts, + krb5_creds *tgt, krb5_creds *reftgts[], int rcount); static krb5_error_code krb5_get_cred_from_kdc_opt(krb5_context, krb5_ccache, krb5_creds *, krb5_creds **, krb5_creds ***, int); @@ -434,6 +439,7 @@ krb5_principal *kdcptr; TR_DBG(ts, "find_nxt_kdc"); + assert(ts->ntgts > 0); assert(ts->nxt_tgt == ts->kdc_tgts[ts->ntgts-1]); if (krb5_princ_size(ts->ctx, ts->nxt_tgt->server) != 2) return KRB5_KDCREP_MODIFIED; @@ -448,21 +454,39 @@ break; } } - if (*kdcptr == NULL) { + if (*kdcptr != NULL) { + ts->nxt_kdc = kdcptr; + TR_DBG_RET(ts, "find_nxt_kdc", 0); + return 0; + } + + r2 = krb5_princ_component(ts->ctx, ts->kdc_list[0], 1); + if (r1 != NULL && r2 != NULL && + r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) { + TR_DBG_RET(ts, "find_nxt_kdc: looped back to local", + KRB5_KDCREP_MODIFIED); + return KRB5_KDCREP_MODIFIED; + } + + /* + * Realm is not in our list; we probably got an unexpected realm + * referral. + */ + ts->offpath_tgt = ts->nxt_tgt; + if (ts->cur_kdc == ts->kdc_list) { /* - * Not found; we probably got an unexpected realm referral. - * Don't touch NXT_KDC, thus allowing next_closest_tgt() to - * continue looping backwards. + * Local KDC referred us off path; trust it for caching + * purposes. */ - if (ts->ntgts > 0) { - /* Punt NXT_TGT from KDC_TGTS if bogus. */ - krb5_free_creds(ts->ctx, ts->kdc_tgts[--ts->ntgts]); - ts->kdc_tgts[ts->ntgts] = NULL; - } - TR_DBG_RET(ts, "find_nxt_kdc", KRB5_KDCREP_MODIFIED); - return KRB5_KDCREP_MODIFIED; + return 0; } - ts->nxt_kdc = kdcptr; + /* + * Unlink the off-path TGT from KDC_TGTS but don't free it, + * because we should return it. + */ + ts->kdc_tgts[--ts->ntgts] = NULL; + ts->nxt_tgt = ts->cur_tgt; TR_DBG_RET(ts, "find_nxt_kdc", 0); return 0; } @@ -577,10 +601,8 @@ break; } /* - * Because try_kdc() validates referral TGTs, it can return an - * error indicating a bogus referral. The loop continues when - * it gets a bogus referral, which is arguably the right - * thing. (Previous implementation unconditionally failed.) + * In case of errors in try_kdc() or find_nxt_kdc(), continue + * looping through the KDC list. */ } /* @@ -689,7 +711,8 @@ krb5_principal server, krb5_creds *out_cc_tgt, krb5_creds **out_tgt, - krb5_creds ***out_kdc_tgts) + krb5_creds ***out_kdc_tgts, + int *tgtptr_isoffpath) { krb5_error_code retval; struct tr_state state, *ts; @@ -717,13 +740,23 @@ retval = next_closest_tgt(ts, client); if (retval) goto cleanup; + + if (ts->offpath_tgt != NULL) { + retval = chase_offpath(ts, client, server); + if (retval) + goto cleanup; + break; + } assert(ts->cur_kdc != ts->nxt_kdc); } if (NXT_TGT_IS_CACHED(ts)) { + assert(ts->offpath_tgt = NULL); *out_cc_tgt = *ts->cur_cc_tgt; *out_tgt = out_cc_tgt; MARK_CUR_CC_TGT_CLEAN(ts); + } else if (ts->offpath_tgt != NULL){ + *out_tgt = ts->offpath_tgt; } else { /* CUR_TGT is somewhere in KDC_TGTS; no need to copy. */ *out_tgt = ts->nxt_tgt; @@ -739,10 +772,126 @@ free(ts->kdc_tgts); } else *out_kdc_tgts = ts->kdc_tgts; + *tgtptr_isoffpath = (ts->offpath_tgt != NULL); + return retval; +} + +/* + * chase_offpath() + * + * Chase off-path TGT referrals. + * + * If we are traversing a trusted path (either hierarchically derived + * or explicit capath) and get a TGT pointing to a realm off this + * path, query the realm referenced by that off-path TGT. Repeat + * until we get to the destination realm or encounter an error. + * + * CUR_TGT is always either pointing into REFTGTS or is an alias for + * TS->OFFPATH_TGT. + */ +static krb5_error_code +chase_offpath(struct tr_state *ts, + krb5_principal client, krb5_principal server) +{ + krb5_error_code retval; + krb5_creds mcred; + krb5_creds *cur_tgt, *nxt_tgt, *reftgts[KRB5_REFERRAL_MAXHOPS]; + krb5_data *rsrc, *rdst, *r1; + int rcount, i; + + rdst = krb5_princ_realm(ts->ctx, server); + cur_tgt = ts->offpath_tgt; + + for (rcount = 0; rcount < KRB5_REFERRAL_MAXHOPS; rcount++) { + nxt_tgt = NULL; + memset(&mcred, 0, sizeof(mcred)); + rsrc = krb5_princ_component(ts->ctx, cur_tgt->server, 1); + retval = krb5_tgtname(ts->ctx, rdst, rsrc, &mcred.server); + if (retval) + goto cleanup; + mcred.client = client; + retval = krb5_get_cred_via_tkt(ts->ctx, cur_tgt, + FLAGS2OPTS(cur_tgt->ticket_flags), + cur_tgt->addresses, &mcred, &nxt_tgt); + mcred.client = NULL; + krb5_free_principal(ts->ctx, mcred.server); + mcred.server = NULL; + if (retval) + goto cleanup; + if (!IS_TGS_PRINC(ts->ctx, nxt_tgt->server)) { + retval = KRB5_KDCREP_MODIFIED; + goto cleanup; + } + r1 = krb5_princ_component(ts->ctx, nxt_tgt->server, 1); + if (rdst->length == r1->length && + !memcmp(rdst->data, r1->data, rdst->length)) { + retval = 0; + goto cleanup; + } + retval = offpath_loopchk(ts, nxt_tgt, reftgts, rcount); + if (retval) + goto cleanup; + reftgts[rcount] = nxt_tgt; + cur_tgt = nxt_tgt; + nxt_tgt = NULL; + } + /* Max hop count exceeded. */ + retval = KRB5_KDCREP_MODIFIED; + +cleanup: + if (mcred.server != NULL) { + krb5_free_principal(ts->ctx, mcred.server); + } + /* + * Don't free TS->OFFPATH_TGT if it's in the list of cacheable + * TGTs to be returned by do_traversal(). + */ + if (ts->offpath_tgt != ts->nxt_tgt) { + krb5_free_creds(ts->ctx, ts->offpath_tgt); + } + ts->offpath_tgt = NULL; + if (nxt_tgt != NULL) { + if (retval) + krb5_free_creds(ts->ctx, nxt_tgt); + else + ts->offpath_tgt = nxt_tgt; + } + for (i = 0; i < rcount; i++) { + krb5_free_creds(ts->ctx, reftgts[i]); + } return retval; } /* + * offpath_loopchk() + * + * Check for loop back to previously-visited realms, both off-path and + * on-path. + */ +static krb5_error_code +offpath_loopchk(struct tr_state *ts, + krb5_creds *tgt, krb5_creds *reftgts[], int rcount) +{ + krb5_data *r1, *r2; + int i; + + r1 = krb5_princ_component(ts->ctx, tgt->server, 1); + for (i = 0; i < rcount; i++) { + r2 = krb5_princ_component(ts->ctx, reftgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; + } + for (i = 0; i < ts->ntgts; i++) { + r2 = krb5_princ_component(ts->ctx, ts->kdc_tgts[i]->server, 1); + if (r1->length == r2->length && + !memcmp(r1->data, r2->data, r1->length)) + return KRB5_KDCREP_MODIFIED; + } + return 0; +} + +/* * krb5_get_cred_from_kdc_opt() * krb5_get_cred_from_kdc() * krb5_get_cred_from_kdc_validate() @@ -786,6 +935,8 @@ krb5_error_code retval, subretval; krb5_principal client, server, supplied_server, out_supplied_server; krb5_creds tgtq, cc_tgt, *tgtptr, *referral_tgts[KRB5_REFERRAL_MAXHOPS]; + krb5_creds *otgtptr = NULL; + int tgtptr_isoffpath = 0; krb5_boolean old_use_conf_ktypes; char **hrealms; unsigned int referral_count, i; @@ -847,8 +998,10 @@ } else if (!HARD_CC_ERR(retval)) { DPRINTF(("gc_from_kdc: starting do_traversal to find " "initial TGT for referral\n")); + tgtptr_isoffpath = 0; + otgtptr = NULL; retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts); + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) { DPRINTF(("gc_from_kdc: failed to find initial TGT for referral\n")); @@ -863,6 +1016,11 @@ * path, otherwise fall back to old-style assumptions. */ + /* + * Save TGTPTR because we rewrite it in the referral loop, and + * we might need to explicitly free it later. + */ + otgtptr = tgtptr; for (referral_count = 0; referral_count < KRB5_REFERRAL_MAXHOPS; referral_count++) { @@ -987,6 +1145,7 @@ tgtptr=*out_cred; /* Save pointer to tgt in referral_tgts. */ referral_tgts[referral_count]=*out_cred; + *out_cred = NULL; /* Copy krbtgt realm to server principal. */ krb5_free_data_contents(context, &server->realm); retval = krb5int_copy_data_contents(context, @@ -1061,6 +1220,11 @@ /* Free tgtptr data if reused from above. */ if (tgtptr == &cc_tgt) krb5_free_cred_contents(context, tgtptr); + tgtptr = NULL; + /* Free saved TGT in OTGTPTR if it was off-path. */ + if (tgtptr_isoffpath) + krb5_free_creds(context, otgtptr); + otgtptr = NULL; /* Free TGTS if previously filled by do_traversal() */ if (*tgts != NULL) { for (i = 0; (*tgts)[i] != NULL; i++) { @@ -1075,11 +1239,13 @@ if (!retval) { tgtptr = &cc_tgt; } else if (!HARD_CC_ERR(retval)) { + tgtptr_isoffpath = 0; retval = do_traversal(context, ccache, client, server, - &cc_tgt, &tgtptr, tgts); + &cc_tgt, &tgtptr, tgts, &tgtptr_isoffpath); } if (retval) goto cleanup; + otgtptr = tgtptr; /* * Finally have TGT for target realm! Try using it to get creds. @@ -1102,6 +1268,8 @@ krb5_free_cred_contents(context, &tgtq); if (tgtptr == &cc_tgt) krb5_free_cred_contents(context, tgtptr); + if (tgtptr_isoffpath) + krb5_free_creds(context, otgtptr); context->use_conf_ktypes = old_use_conf_ktypes; /* Drop the original principal back into in_cred so that it's cached in the expected format. */ From rt-comment at krbdev.mit.edu Thu Jan 8 20:42:41 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 9 Jan 2009 01:42:41 +0000 (UTC) Subject: [krbdev.mit.edu #5627] SVN Commit In-Reply-To: Message-ID: Follow "off-path" TGT referrals. http://src.mit.edu/fisheye/changelog/krb5/?cs=21720 Commit By: tlyu Revision: 21720 Changed Files: U trunk/src/lib/krb5/krb/gc_frm_kdc.c From rt-comment at krbdev.mit.edu Thu Jan 8 20:45:28 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 9 Jan 2009 01:45:28 +0000 (UTC) Subject: [krbdev.mit.edu #6318] off-path TGT referral patch [rdar 3679887] In-Reply-To: Message-ID: Applied patch; see ticket #5627. From rt-comment at krbdev.mit.edu Mon Jan 12 09:34:52 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 12 Jan 2009 14:34:52 +0000 (UTC) Subject: [krbdev.mit.edu #6316] update from Apple: In-Reply-To: Message-ID: KIM not the problem, its our (Apple's) locate_kdc plugin. From rt-comment at krbdev.mit.edu Mon Jan 12 09:38:36 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 12 Jan 2009 14:38:36 +0000 (UTC) Subject: [krbdev.mit.edu #6319] klist -k throws end of key table warning In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosClients/klist/Sources/klist.c Kerberos.AEP-6.5fc1/KerberosClients/klist/Sources/klist.c --- Kerberos.AEP-6.5fc1.orig/KerberosClients/klist/Sources/klist.c 2008-12-11 15:15:04.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosClients/klist/Sources/klist.c 2008-12-11 16:40:57.000000000 -0800 @@ -183,6 +183,10 @@ char *principal_name = NULL; err = krb5_kt_next_entry (kcontext, kt, &entry, &cursor); + if (err == KRB5_KT_END) { + err = 0; + break; + } if (!err) { err = krb5_unparse_name (kcontext, entry.principal, &principal_name); @@ -210,11 +214,10 @@ } printmsg ("\n"); } - printiferr (err, "while scanning keytab %s", keytab_name); + printiferr (err, "while scanning keytab %s", keytab_name); if (principal_name) { krb5_free_unparsed_name (kcontext, principal_name); } } - if (err == KRB5_KT_END) { err = 0; } if (!err) { err = krb5_kt_end_seq_get (kcontext, kt, &cursor); From rt-comment at krbdev.mit.edu Mon Jan 12 09:49:26 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 12 Jan 2009 14:49:26 +0000 (UTC) Subject: [krbdev.mit.edu #6322] Leak in CCacheServer In-Reply-To: Message-ID: diff -ru Kerberos.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c Kerberos/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c --- Kerberos.orig/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c 2008-12-18 21:34:46.000000000 -0800 +++ Kerberos/KerberosFramework/Kerberos5/Sources/util/mac/k5_mig_server.c 2008-12-19 00:31:02.000000000 -0800 @@ -37,6 +37,11 @@ #include #include +/* Map of receive rights to libdispatch sources. */ +static CFMutableDictionaryRef mig_clients = NULL; +__unused static int _assert_mach_port_can_be_used_as_cfdictionary_key_ + [sizeof(mach_port_t) <= sizeof(void *) ? 0 : -1]; + /* ------------------------------------------------------------------------ */ static boolean_t k5_ipc_request_demux (mach_msg_header_t *request, @@ -55,12 +60,11 @@ err = k5_ipc_server_remove_client (request->msgh_local_port); if (!err) { - err = mach_port_mod_refs (mach_task_self (), - request->msgh_local_port, - MACH_PORT_RIGHT_RECEIVE, -1); - } - - if (!err) { + void *key = (void *)((uintptr_t)request->msgh_local_port); + dispatch_source_t source = (dispatch_source_t)CFDictionaryGetValue + (mig_clients, key); + CFDictionaryRemoveValue (mig_clients, key); + dispatch_release (source); handled = 1; /* was a port we are tracking */ } } @@ -76,6 +80,8 @@ kern_return_t err = KERN_SUCCESS; mach_port_t connection_port = MACH_PORT_NULL; mach_port_t old_notification_target = MACH_PORT_NULL; + dispatch_source_attr_t attr = NULL; + dispatch_source_t source = NULL; if (!err) { err = mach_port_allocate (mach_task_self (), @@ -97,18 +103,44 @@ } if (!err) { + attr = dispatch_source_attr_create (); + if (attr == NULL) { + err = KERN_FAILURE; + } + } + + if (!err) { + dispatch_source_finalizer_t finalizer; + finalizer = ^(dispatch_source_t s){ + mach_port_mod_refs (mach_task_self (), connection_port, + MACH_PORT_RIGHT_RECEIVE, -1); + }; + if (dispatch_source_attr_set_finalizer (attr, finalizer)) { + err = KERN_FAILURE; + } + } + + if (!err) { dispatch_queue_t queue; - queue = dispatch_get_main_queue(); - dispatch_source_mig_create(connection_port, K5_IPC_MAX_MSG_SIZE, - NULL, queue, k5_ipc_request_demux); + queue = dispatch_get_main_queue (); + source = dispatch_source_mig_create (connection_port, + K5_IPC_MAX_MSG_SIZE, attr, queue, + k5_ipc_request_demux); + if (source == NULL) { + err = KERN_FAILURE; + } } if (!err) { + CFDictionaryAddValue (mig_clients, + (void *)((uintptr_t)connection_port), source); *out_connection_port = connection_port; connection_port = MACH_PORT_NULL; } if (MACH_PORT_VALID (connection_port)) { mach_port_deallocate (mach_task_self (), connection_port); } + + if (attr != NULL) { dispatch_release (attr); } return err; } @@ -223,11 +255,14 @@ if (launch_data_get_type(obj) == LAUNCH_DATA_MACHPORT) { mach_port_t port = launch_data_get_machport(obj); - dispatch_source_mig_create(port, - K5_IPC_MAX_MSG_SIZE, - NULL, - dispatch_get_main_queue(), - k5_ipc_request_demux); + source = dispatch_source_mig_create(port, + K5_IPC_MAX_MSG_SIZE, + NULL, + dispatch_get_main_queue(), + k5_ipc_request_demux); + if (source == NULL) { + syslog(LOG_NOTICE, "Failed to register Mach source."); + } } else { syslog(LOG_NOTICE, "%s: not a mach port", key); } @@ -254,6 +289,13 @@ syslog(LOG_NOTICE, "launch_msg() response: %s", strerror(errno)); return 1; } + + mig_clients = CFDictionaryCreateMutable(kCFAllocatorDefault, 0, NULL, NULL); + + if (mig_clients == NULL) { + syslog(LOG_NOTICE, "Failed to create client dictionary."); + return 1; + } tmp = launch_data_dict_lookup(resp, LAUNCH_JOBKEY_MACHSERVICES); From rt-comment at krbdev.mit.edu Mon Jan 12 09:52:04 2009 From: rt-comment at krbdev.mit.edu (Zhanna Tsitkova via RT) Date: Mon, 12 Jan 2009 14:52:04 +0000 (UTC) Subject: [krbdev.mit.edu #6323] kadmin: rename support In-Reply-To: Message-ID: diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin.c 2009-01-08 13:14:43.000000000 -0800 @@ -650,6 +650,76 @@ return; } +void kadmin_renameprinc(argc, argv) + int argc; + char *argv[]; +{ + kadm5_ret_t retval; + krb5_principal oprinc, nprinc; + char *ocanon, *ncanon; + char reply[5]; + + if (! (argc == 3 || + (argc == 4 && !strcmp("-force", argv[1])))) { + fprintf(stderr, "usage: rename_principal [-force] old_principal new_principal\n"); + return; + } + retval = kadmin_parse_name(argv[argc - 2], &oprinc); + if (retval) { + com_err("rename_principal", retval, "while parsing old principal name"); + return; + } + retval = kadmin_parse_name(argv[argc - 1], &nprinc); + if (retval) { + com_err("rename_principal", retval, "while parsing new principal name"); + krb5_free_principal(context, oprinc); + return; + } + retval = krb5_unparse_name(context, oprinc, &ocanon); + if (retval) { + com_err("rename_principal", retval, + "while canonicalizing old principal"); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + retval = krb5_unparse_name(context, nprinc, &ncanon); + if (retval) { + com_err("rename_principal", retval, + "while canonicalizing new principal"); + free(ocanon); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + if (argc == 3) { + printf("Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): ", + ocanon, ncanon); + fgets(reply, sizeof (reply), stdin); + if (strcmp("yes\n", reply)) { + fprintf(stderr, "Principal \"%s\" not renamed\n", ocanon); + free(ncanon); + free(ocanon); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + return; + } + } + retval = kadm5_rename_principal(handle, oprinc, nprinc); + krb5_free_principal(context, nprinc); + krb5_free_principal(context, oprinc); + if (retval) { + com_err("rename_principal", retval, + "while renaming principal \"%s\" to \"%s\"", ocanon, ncanon); free(ncanon); + free(ocanon); + return; + } + printf("Principal \"%s\" renamed to \"%s\".\nMake sure that you have removed this principal from all ACLs before reusing.\n", ocanon, ncanon); + free(ncanon); + free(ocanon); + return; +} + void kadmin_cpw(argc, argv) int argc; char *argv[]; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/cli/kadmin_ct.ct 2009-01-08 13:14:43.000000000 -0800 @@ -35,6 +35,9 @@ request kadmin_modprinc, "Modify principal", modify_principal, modprinc; +request kadmin_renameprinc, "Rename principal", + rename_principal, renprinc; + request kadmin_cpw, "Change password", change_password, cpw; diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2008-11-07 11:25:29.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/kadmin/dbutil/dump.c 2009-01-08 18:44:12.000000000 -0800 @@ -47,6 +47,7 @@ */ static int mkey_convert; static krb5_keyblock new_master_keyblock; +static krb5_principal new_master_princ = NULL; static int backwards; static int recursive; @@ -1097,6 +1098,10 @@ else if (!strcmp(argv[aindex], "-new_mkey_file")) { new_mkey_file = argv[++aindex]; mkey_convert = 1; + } else if (!strcmp(argv[aindex], "-new_mkey_principal")) { + kret = krb5_parse_name(util_context, argv[++aindex], &new_master_princ); + if (kret) + fprintf(stderr, "failed to parse new mkey principal: %s", argv[aindex]); } else if (!strcmp(argv[aindex], "-rev")) backwards = 1; else if (!strcmp(argv[aindex], "-recurse")) @@ -1127,6 +1132,13 @@ } /* + * Set new_master_princ if not set, use default master principal. + */ + + if (new_master_princ == NULL) + new_master_princ = master_princ; + + /* * If we're doing a master key conversion, set up for it. */ if (mkey_convert) { @@ -1166,7 +1178,7 @@ else kt_kvno = IGNORE_VNO; - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ, new_master_keyblock.enctype, FALSE, FALSE, @@ -1179,7 +1191,7 @@ } } else { printf("Please enter new master key....\n"); - if ((retval = krb5_db_fetch_mkey(util_context, master_princ, + if ((retval = krb5_db_fetch_mkey(util_context, new_master_princ, new_master_keyblock.enctype, TRUE, TRUE, diff -Nur -x '*~' -x '*.orig' -x '*.rej' -x '*.pbxbtree' -x '*.pbxindex' -x lha.mode1v3 -x lha.mode2v3 -x lha.pbxuser -x windows -x .DS_Store Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c --- Kerberos.AEP-6.5fc1.orig/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 19:22:46.000000000 -0800 +++ Kerberos.AEP-6.5fc1/KerberosFramework/Kerberos5/Sources/lib/kadm5/srv/svr_principal.c 2009-01-08 13:14:43.000000000 -0800 @@ -677,16 +677,71 @@ if ((ret = kdb_get_entry(handle, source, &kdb, &adb))) return ret; - /* this is kinda gross, but unavoidable */ - + /* Transform salt types */ for (i=0; i 1) + stype = kdb.key_data[i].key_data_type[1]; + else + stype = KRB5_KDB_SALTTYPE_NORMAL; + + switch(stype) { + case KRB5_KDB_SALTTYPE_SPECIAL: + /* do nothing */ + break; + case KRB5_KDB_SALTTYPE_NORMAL: + kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; + krb5_principal2salt(handle->context, kdb.princ, &sdata); + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + kdb.key_data[i].key_data_contents[1] = sdata.data; + kdb.key_data[i].key_data_length[1] = sdata.length; + added_salt = 1; + break; + case KRB5_KDB_SALTTYPE_NOREALM: + kdb.key_data[i].key_data_type[1] = KRB5_KDB_SALTTYPE_SPECIAL; + krb5_principal2salt_norealm(handle->context, kdb.princ, &sdata); + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + kdb.key_data[i].key_data_contents[1] = sdata.data; + kdb.key_data[i].key_data_length[1] = sdata.length; + added_salt = 1; + break; + case KRB5_KDB_SALTTYPE_ONLYREALM: { + unsigned char *p; + size_t len; + + len = krb5_princ_realm(context, kdb.princ)->length; + p = malloc(len); + if (p == NULL) { + ret = ENOMEM; + goto done; + } + if (kdb.key_data[i].key_data_contents[1]) + free(kdb.key_data[i].key_data_contents[1]); + memcpy(p, krb5_princ_realm(context, kdb.princ)->data, len); + kdb.key_data[i].key_data_contents[1] = p; + kdb.key_data[i].key_data_length[1] = len; + added_salt = 1; + break; + } + case KRB5_KDB_SALTTYPE_V4: + /* no do nothing, we assume v4 realm is not renamed */ + break; + case KRB5_KDB_SALTTYPE_AFS3: + break; + /* FALLTHOUGH */ + default: ret = KADM5_NO_RENAME_SALT; goto done; } + if (added_salt && kdb.key_data[i].key_data_ver == 1) + kdb.key_data[i].key_data_ver = 2; } - + kadm5_free_principal(handle->context, kdb.princ); ret = kadm5_copy_principal(handle->context, target, &kdb.princ); if (ret) { From rt-comment at krbdev.mit.edu Mon Jan 12 13:29:50 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 12 Jan 2009 18:29:50 +0000 (UTC) Subject: [krbdev.mit.edu #1201] SVN Commit In-Reply-To: Message-ID: Add message hash support to the replay interface, using extension records (with an empty client string) to retain compatibility with old code. For rd_req, the ciphertext of the authenticator (with no ASN.1 wrapping) is hashed; for other uses of the replay cache, no message hash is used at this time. This commit adds a command-line tool for testing the replay cache but does not add any automated tests. http://src.mit.edu/fisheye/changelog/krb5/?cs=21723 Commit By: ghudson Revision: 21723 Changed Files: U trunk/src/include/k5-int.h U trunk/src/kdc/kdc_preauth.c U trunk/src/lib/krb5/krb/mk_cred.c U trunk/src/lib/krb5/krb/mk_priv.c U trunk/src/lib/krb5/krb/mk_safe.c U trunk/src/lib/krb5/krb/rd_cred.c U trunk/src/lib/krb5/krb/rd_priv.c U trunk/src/lib/krb5/krb/rd_req_dec.c U trunk/src/lib/krb5/krb/rd_safe.c U trunk/src/lib/krb5/libkrb5.exports U trunk/src/lib/krb5/rcache/Makefile.in U trunk/src/lib/krb5/rcache/rc_conv.c U trunk/src/lib/krb5/rcache/rc_dfl.c A trunk/src/lib/krb5/rcache/t_replay.c U trunk/src/tests/threads/t_rcache.c From rt-comment at krbdev.mit.edu Mon Jan 12 16:22:40 2009 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Mon, 12 Jan 2009 21:22:40 +0000 (UTC) Subject: [krbdev.mit.edu #6323] kadmin: rename support In-Reply-To: Message-ID: this is dup of 6118 From rt-comment at krbdev.mit.edu Mon Jan 12 16:23:46 2009 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Mon, 12 Jan 2009 21:23:46 +0000 (UTC) Subject: [krbdev.mit.edu #6118] rename principals In-Reply-To: Message-ID: marcus, a more complete patch is in 6323 http://krbdev.mit.edu/rt/Ticket/Display.html?id=6323 From rt-comment at krbdev.mit.edu Mon Jan 12 16:24:38 2009 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Mon, 12 Jan 2009 21:24:38 +0000 (UTC) Subject: [krbdev.mit.edu #6323] kadmin: rename support In-Reply-To: Message-ID: [lha - Mon Jan 12 16:22:40 2009]: > this is dup of 6118 and this patch is based on marcus patch in there, just more complete From rt-comment at krbdev.mit.edu Mon Jan 12 16:24:56 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 12 Jan 2009 21:24:56 +0000 (UTC) Subject: [krbdev.mit.edu #6324] SVN Commit In-Reply-To: Message-ID: testing ticket pre-allocation http://src.mit.edu/fisheye/changelog/krb5/?cs=21731 Commit By: tlyu Revision: 21731 Changed Files: D branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Mon Jan 12 17:34:49 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 12 Jan 2009 22:34:49 +0000 (UTC) Subject: [krbdev.mit.edu #6326] SVN Commit In-Reply-To: Message-ID: Another test of commit handler with full ticket pre-alloc. http://src.mit.edu/fisheye/changelog/krb5/?cs=21735 Commit By: tlyu Revision: 21735 Changed Files: D branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Mon Jan 12 17:36:11 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 12 Jan 2009 22:36:11 +0000 (UTC) Subject: [krbdev.mit.edu #6327] SVN Commit In-Reply-To: Message-ID: another test http://src.mit.edu/fisheye/changelog/krb5/?cs=21736 Commit By: tlyu Revision: 21736 Changed Files: A branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Mon Jan 12 17:37:22 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 12 Jan 2009 22:37:22 +0000 (UTC) Subject: [krbdev.mit.edu #6328] SVN Commit In-Reply-To: Message-ID: test test http://src.mit.edu/fisheye/changelog/krb5/?cs=21737 Commit By: tlyu Revision: 21737 Changed Files: D branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Mon Jan 12 17:48:43 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 12 Jan 2009 22:48:43 +0000 (UTC) Subject: [krbdev.mit.edu #6329] SVN Commit In-Reply-To: Message-ID: now with match-preserving http://src.mit.edu/fisheye/changelog/krb5/?cs=21738 Commit By: tlyu Revision: 21738 Changed Files: A branches/commit-handler-test/aaaa/ From rt-comment at krbdev.mit.edu Mon Jan 12 18:58:30 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 12 Jan 2009 23:58:30 +0000 (UTC) Subject: [krbdev.mit.edu #6335] test failures in password changing In-Reply-To: Message-ID: The current trunk code fails a couple of the dejagnu tests. Both have to do with changing passwords; one directly, one via kinit when the database entry is flagged to require a password change. The logged error is that a network address was incorrect. From a bit of experimentation and observation, it appears that the problem comes up on machines with multiple non-loopback addresses (e.g., IPv4 + IPv6), and not on machines with only one address. Ken From rt-comment at krbdev.mit.edu Mon Jan 12 18:58:49 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Mon, 12 Jan 2009 23:58:49 +0000 (UTC) Subject: [krbdev.mit.edu #6336] enctype negotiation - etype list In-Reply-To: Message-ID: The current enctype negotiation code on the trunk has a funny way of coming up with the enctype list to send. The RFC says that if the session key is in the list, it should be at the end. The current code looks up the enctype list, which is ordered by preference, and scans it for the session key type. If it finds it, it *swaps* it with the entry at the end of the list. So if the session key type was first on the list, it's now last, and you're telling the application server that the enctype you'd really like to use is the one that was originally last in your preference order. It probably should truncate the list after the session key type, if it's found. And, just for kicks, check and see if the session key type is first on the list and skip enctype negotiation altogether if it is, since we can't get a more-preferred enctype in that case. Ken From rt-comment at krbdev.mit.edu Tue Jan 13 15:38:00 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Tue, 13 Jan 2009 20:38:00 +0000 (UTC) Subject: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets In-Reply-To: Message-ID: We make forwardable tickets the default in the [libdefaults] section of our krb5.conf file, but we disable forwardable tickets for privileged principals (*/root, */admin). Authenticating to kadmin with a password as a privileged account therefore fails on systems with our default krb5.conf file. In kadm5_gic_iter() when authenticating with a password, the client library sets up krb5_get_init_creds_opt structure but doesn't set any parameters in it. Since the acquired credentials are going into a memory cache specific to that client invocation, forwardable tickets are pointless. I think the kadmin client library should therefore force the forwardable option (and probably the proxiable option and renewable time) to false. From rt-comment at krbdev.mit.edu Tue Jan 13 15:46:55 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Tue, 13 Jan 2009 20:46:55 +0000 (UTC) Subject: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets In-Reply-To: Message-ID: "Russ Allbery via RT" writes: > In kadm5_gic_iter() when authenticating with a password, the client > library sets up krb5_get_init_creds_opt structure but doesn't set any > parameters in it. Since the acquired credentials are going into a > memory cache specific to that client invocation, forwardable tickets are > pointless. I think the kadmin client library should therefore force the > forwardable option (and probably the proxiable option and renewable > time) to false. Here's a patch. Let me know if this looks good and I'll check it in. Index: client_init.c =================================================================== --- src/lib/kadm5/clnt/client_init.c (revision 21740) +++ src/lib/kadm5/clnt/client_init.c (working copy) @@ -541,8 +541,12 @@ goto error; } - if (init_type != INIT_CREDS) + /* Credentials for kadmin don't need to be forwardable or proxiable. */ + if (init_type != INIT_CREDS) { krb5_get_init_creds_opt_init(&opt); + krb5_get_init_creds_opt_set_forwardable(&opt, 0); + krb5_get_init_creds_opt_set_proxiable(&opt, 0); + } if (init_type == INIT_PASS) { code = krb5_get_init_creds_password(ctx, &outcreds, client, pass, -- Russ Allbery (rra at stanford.edu) From rt-comment at krbdev.mit.edu Tue Jan 13 16:20:48 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Tue, 13 Jan 2009 21:20:48 +0000 (UTC) Subject: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets In-Reply-To: Message-ID: The patch looks good to me. Ken From rt-comment at krbdev.mit.edu Tue Jan 13 19:29:07 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Wed, 14 Jan 2009 00:29:07 +0000 (UTC) Subject: [krbdev.mit.edu #6337] SVN Commit In-Reply-To: Message-ID: Force tickets acquired by the kadm5 client library via password authentication to be non-forwardable and non-proxiable, overridding any [libdefaults] configuration. This may be necessary at sites that set forwardable to true by default in their krb5.conf files but disable forwardable tickets for privileged principals. Since the ticket cache acquired by the kadm5 client library is used only for kadmin operations, where forwardable is not useful or necessary, there is no reason to ever attempt to obtain forwardable or proxiable tickets here. http://src.mit.edu/fisheye/changelog/krb5/?cs=21744 Commit By: rra Revision: 21744 Changed Files: U trunk/src/lib/kadm5/clnt/client_init.c From rt-comment at krbdev.mit.edu Wed Jan 14 10:29:13 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Wed, 14 Jan 2009 15:29:13 +0000 (UTC) Subject: [krbdev.mit.edu #6338] Debian Bug #511348: cpu spins when ldap not available In-Reply-To: Message-ID: Please take a look at http://bugs.debian.org/511348 It seems like krb5_db_inited is kind of confused. Some of the code (libkadm5) treats it as a boolean function; some code (kdb keytab) treats it as returning an error code. For unexplained reasons, krb524d spins sometimes against an ldap backend. I'm not sure entirely what's going on here, but I suspect that the policy db and the principal db are getting out of sync or something. I understand we're dropping krb524d from the release, but it seems like some issues may still result from this. --Sam From rt-comment at krbdev.mit.edu Wed Jan 14 16:34:07 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 14 Jan 2009 21:34:07 +0000 (UTC) Subject: [krbdev.mit.edu #6335] test failures in password changing In-Reply-To: Message-ID: Looking at the changes to network.c in adapting it for kadmind, I see the dispatch routine is being passed the destination (local) address from the network.c code, but note that recv_from_to does *not* always fill it in; it'll set *tolen to 0 if it can't get the address, and there's no check for that failure. So I expect it'll fail on systems where there's no IP_PKTINFO or IPV6_PKTINFO socket option (like Mac OS X when using IPv4), and it'll pass on Linux (which has both). If I tweak recv_from_to to pre-fill the buffer with the local IPv4 address, the test passes; if I pre-fill it with a different IPv4 address, some debugging code I added to rd_priv.c spits out that address as the non-matching s_address field in the message coming back from kadmind. See also #6205, a patch to use IP_RECVDSTADDR in kadmind... From rt-comment at krbdev.mit.edu Wed Jan 14 16:57:52 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 14 Jan 2009 21:57:52 +0000 (UTC) Subject: [krbdev.mit.edu #6339] Fwd: krb5_sendauth vs NAGLE vs DelayedAck In-Reply-To: Message-ID: Create a krb5int_net_writev helper function, calling writev in a loop like krb5_net_write. Use it in krb5_write_message. Begin forwarded message: > From: John Hascall > Date: January 14, 2009 15:22:34 EST > To: kerberos at MIT.EDU > Subject: krb5_sendauth vs NAGLE vs DelayedAck > X-Spam-Score: 0 > > > I don't recall having seen this discussed on this > list and google doesn't seem to either, so... > > I just discovered that hard way that the way that > krb5_sendauth/krb5_recvauth work tickles the nasty > interaction between the TCP NAGLE and DelayedAck > features which inserts two ~200ms delays into the > process: > > 16994 accessd 1231948663.402557 CALL read(6,0xbfbffa54,4) > 16994 accessd 1231948663.402561 GIO fd 6 read 4 bytes > "\0\0\0\^S" > 16994 accessd 1231948663.402567 CALL read(6,0xa1e0520,0x13) > 16994 accessd 1231948663.592835 GIO fd 6 read 19 bytes > "KRB5_SENDAUTH_V1.0\0" > 16994 accessd 1231948663.592850 CALL read(6,0xbfbff914,4) > 16994 accessd 1231948663.592854 GIO fd 6 read 4 bytes > "\0\0\0\b" > 16994 accessd 1231948663.592860 CALL read(6,0xa1e2530,8) > 16994 accessd 1231948663.592863 GIO fd 6 read 8 bytes > "PV 1.00\0" > 16994 accessd 1231948663.592868 CALL write(6,0xbfbff99b,1) > 16994 accessd 1231948663.592874 GIO fd 6 wrote 1 bytes > "\0" > 16994 accessd 1231948663.592879 CALL read(6,0xbfbff914,4) > 16994 accessd 1231948663.593675 GIO fd 6 read 4 bytes > "\0\0\^A\M^U" > 16994 accessd 1231948663.593681 CALL read(6,0xa165800,0x195) > 16994 accessd 1231948663.792905 GIO fd 6 read 405 bytes > "...a bunch of binary goop..." > > This was pretty annoying when that 4/10s of a second was > pretty much all of the connection lifetime. > > My guess is that this occurs anywhere that the kerberos > libs use krb5_write_message(). > > My solution was just to do: > int on = 1; > setsockopt(fd, IPPROTO_TCP, TCP_NODELAY, &on, sizeof(on)); > before calling krb5_sendauth() but a "better" approach might > be for krb5_write_message to end up calling writev so it > does one write instead of two, I think. > > > John > ________________________________________________ > Kerberos mailing list Kerberos at mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos From rt-comment at krbdev.mit.edu Wed Jan 14 18:36:19 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 14 Jan 2009 23:36:19 +0000 (UTC) Subject: [krbdev.mit.edu #6335] SVN Commit In-Reply-To: Message-ID: If we have a local UDP socket without the PKTINFO option set, it's bound to a local address, so use getsockname to extract the local (destination) address. http://src.mit.edu/fisheye/changelog/krb5/?cs=21748 Commit By: raeburn Revision: 21748 Changed Files: U trunk/src/kadmin/server/network.c From rt-comment at krbdev.mit.edu Wed Jan 14 19:59:33 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 15 Jan 2009 00:59:33 +0000 (UTC) Subject: [krbdev.mit.edu #6339] SVN Commit In-Reply-To: Message-ID: Add new routine krb5int_net_writev using scatter-gather source. Use it from krb5_net_write to ensure testing and reduce duplication. Use it from krb5_write_message to avoid Nagle+DelayedAck problem. http://src.mit.edu/fisheye/changelog/krb5/?cs=21749 Commit By: raeburn Revision: 21749 Changed Files: U trunk/src/lib/krb5/os/deps U trunk/src/lib/krb5/os/net_write.c U trunk/src/lib/krb5/os/os-proto.h U trunk/src/lib/krb5/os/write_msg.c From rt-comment at krbdev.mit.edu Thu Jan 15 14:11:53 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 15 Jan 2009 19:11:53 +0000 (UTC) Subject: [krbdev.mit.edu #1201] SVN Commit In-Reply-To: Message-ID: Rework the replay cache extensions to make the hash extension records stand alone. Otherwise, reordering of records during an expunge could cause the hash to be applied to the wrong record. Also add an "expunge" option to the t_replay program, and clean up some memory-handling inconsistencies. http://src.mit.edu/fisheye/changelog/krb5/?cs=21751 Commit By: ghudson Revision: 21751 Changed Files: U trunk/src/lib/krb5/rcache/rc_dfl.c U trunk/src/lib/krb5/rcache/t_replay.c From rt-comment at krbdev.mit.edu Thu Jan 15 14:15:25 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Thu, 15 Jan 2009 19:15:25 +0000 (UTC) Subject: [krbdev.mit.edu #6339] SVN Commit In-Reply-To: Message-ID: Fix an additional multiple-write case noted by John, where sendauth calls write_message twice in a row. Add new function krb5int_write_messages, calls krb5_net_writev with multiple messages (currently only two at a time). Use it from krb5_write_message and krb5_sendauth. http://src.mit.edu/fisheye/changelog/krb5/?cs=21752 Commit By: raeburn Revision: 21752 Changed Files: U trunk/src/include/k5-int.h U trunk/src/lib/krb5/krb/sendauth.c U trunk/src/lib/krb5/os/write_msg.c From rt-comment at krbdev.mit.edu Fri Jan 16 19:04:53 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Sat, 17 Jan 2009 00:04:53 +0000 (UTC) Subject: [krbdev.mit.edu #6336] SVN Commit In-Reply-To: Message-ID: patch from Luke - fix enctype-nego enctype list setup http://src.mit.edu/fisheye/changelog/krb5/?cs=21760 Commit By: raeburn Revision: 21760 Changed Files: U trunk/src/lib/krb5/krb/mk_req_ext.c From rt-comment at krbdev.mit.edu Wed Jan 21 12:26:15 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Wed, 21 Jan 2009 17:26:15 +0000 (UTC) Subject: [krbdev.mit.edu #6340] mmap for kdb update log In-Reply-To: Message-ID: Just noting for the future: We should be more paranoid about the handling of the KDB update log file. The use of mmap makes me a bit nervous -- what if the page isn't there and can't be allocated? I did change the update log creation not to create sparse files on some operating systems. However, I think it may be possible in the current code for the file setup to fail if the file system is full at setup time, but leave the file in a state where a later invocation might assume it to be ready to use. Granted, if your KDC's disk fills, you've got other things to worry about, but we don't need the KDC crashing and leaving incomplete files around to add to it. A clean exit, and more importantly leaving the update log file in a state where the next invocation will still recognize the need to allocate storage, would be an improvement. Using fread instead of mmap would help us trap the errors at run time instead of crashing, too, if some case gets missed. (Alternatively: If we don't use mmap, we could forego the initial file setup and just allocate the space as we need it.) Ken From rt-comment at krbdev.mit.edu Wed Jan 21 14:46:09 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 21 Jan 2009 19:46:09 +0000 (UTC) Subject: [krbdev.mit.edu #6289] replay cache is insecurely handled In-Reply-To: Message-ID: Patch reviewed and applied in r21770 (forgot the ticket header). From rt-comment at krbdev.mit.edu Wed Jan 21 14:51:13 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Wed, 21 Jan 2009 19:51:13 +0000 (UTC) Subject: [krbdev.mit.edu #3499] race in replay cache file ownership In-Reply-To: Message-ID: Fixed in r21770 as submitted in ticket #6289. From rt-comment at krbdev.mit.edu Thu Jan 22 14:10:23 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 22 Jan 2009 19:10:23 +0000 (UTC) Subject: [krbdev.mit.edu #6284] memory leaks in error conditions In-Reply-To: Message-ID: First patch looks fine; I adapted it to the current code (which was changed fairly heavily by Luke) and will commit shortly. I don't understand the second patch. The first hunk appears to be for Apple-specific code, so I'm ignoring that. The other hunks move a free(reply.enc_part.ciphertext.data) into the errorout label. But (a) that move seems unnecessary, since in the old location the data was freed immediately after it was allocated (i.e. on successful return from krb5_encode_kdc_rep), and (b) that move seems incorrect, since "goto errout" can happen in cases where reply.enc_part.ciphertext.data hasn't been initialized. From rt-comment at krbdev.mit.edu Thu Jan 22 14:19:38 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 22 Jan 2009 19:19:38 +0000 (UTC) Subject: [krbdev.mit.edu #6284] SVN Commit In-Reply-To: Message-ID: Adapted patch from Apple: in kadmind's process_chpw_request, make sure to free error message strings. http://src.mit.edu/fisheye/changelog/krb5/?cs=21776 Commit By: ghudson Revision: 21776 Changed Files: U trunk/src/kadmin/server/schpw.c From rt-comment at krbdev.mit.edu Thu Jan 22 19:21:49 2009 From: rt-comment at krbdev.mit.edu (Love Hornquist Astrand via RT) Date: Fri, 23 Jan 2009 00:21:49 +0000 (UTC) Subject: [krbdev.mit.edu #6284] memory leaks in error conditions In-Reply-To: Message-ID: 22 jan 2009 kl. 11.10 skrev Greg Hudson via RT: > First patch looks fine; I adapted it to the current code (which was > changed fairly heavily by Luke) and will commit shortly. > > I don't understand the second patch. The first hunk appears to be for > Apple-specific code, so I'm ignoring that. The other hunks move a > free(reply.enc_part.ciphertext.data) into the errorout label. But (a) > that move seems unnecessary, since in the old location the data was > freed immediately after it was allocated (i.e. on successful return > from > krb5_encode_kdc_rep), and (b) that move seems incorrect, since "goto > errout" can happen in cases where reply.enc_part.ciphertext.data > hasn't > been initialized. There needs to be an if(reply.enc_part.ciphertext.data) protecting. The reason we need this is that the pws case add an extra goto errout; Love From rt-comment at krbdev.mit.edu Fri Jan 23 13:04:14 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Fri, 23 Jan 2009 18:04:14 +0000 (UTC) Subject: [krbdev.mit.edu #6342] SVN Commit In-Reply-To: Message-ID: The hash db code assumes in places that the block size is no larger than 64K. There's a range check in the case where you don't have a file but provide initialization info. The btree code will cap the block size used at 64K. Apparently Sun's ZFS can report back a block size of 128K, causing the db2 tests to fail. Add such a cap to the hash db creation code. Note that our default configuration is to use the btree code when creating a new database, so it's unlikely that this will cause real-world problems unless someone went out of their way to specify use of the hash format. http://src.mit.edu/fisheye/changelog/krb5/?cs=21786 Commit By: raeburn Revision: 21786 Changed Files: U trunk/src/plugins/kdb/db2/libdb2/hash/hash.c From rt-comment at krbdev.mit.edu Fri Jan 23 19:49:01 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 00:49:01 +0000 (UTC) Subject: [krbdev.mit.edu #6343] klist should mark expired tickets In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/482522 Heimdal klist shows expired tickets by replacing the ticket expiration time with a string indicating the ticket is expired. With MIT klist, you have to read the expiration time and notice that it was in the past. It would be nice to show something similar. One option would be to show >>EXPIRED<< by default and provide a switch to show the actual expiration time. Another would be to follow the formatting of renewable tickets and do something like: Valid starting Expires Service principal 01/23/09 16:14:04 >>EXPIRED<< krbtgt/stanford.edu at stanford.edu expired at 01/23/09 16:20:04 From rt-comment at krbdev.mit.edu Fri Jan 23 19:59:23 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 00:59:23 +0000 (UTC) Subject: [krbdev.mit.edu #6344] kadmind support for binding to specific local IPs In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/479405 kadmind currently supports an option to run on a different port, which can be used to serve different realms on the same host with different ports. However, this requires client knowledge of the kadmin port for that realm, which requires pushing configuration to the clients. This isn't as bad as it used to be given SRV records, but it would still be nice to support binding only to particular IP addresses so that multiple instances of kadmin can be run on the same server for different realms using the standard ports. This functionality would also allow kadmin to listen only on selected interfaces, which can be useful in other cases apart from running multiple copies of kadmind. The implementation for TCP is fairly straightforward. It's somewhat trickier for UDP, but I suspect that much of the UDP code is already present in the KDC. From rt-comment at krbdev.mit.edu Fri Jan 23 20:34:44 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 01:34:44 +0000 (UTC) Subject: [krbdev.mit.edu #6345] no kdb5_util stash equivalent with LDAP database In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/484808 There appears to be no equivalent to the kdb5_util stash command for an LDAP-only database. kdb5_util stash doesn't work without access to a traditional KDC database, and kdb5_ldap_util stashsrvpw does something different. This means that if one doesn't create a stash file during the LDAP database creation with the -sf option, there isn't a good way to create one later. From rt-comment at krbdev.mit.edu Fri Jan 23 20:42:32 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 01:42:32 +0000 (UTC) Subject: [krbdev.mit.edu #6346] domain_realm docs need update for referrals In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/482681 The documentation for domain_realm mappings needs an update for referral support. The following stanza in admin.texinfo: | If no translation entry applies, the host's realm is considered to be | the hostname's domain portion converted to upper case. is no longer entirely correct. According to Sam's comments in the Debian bug: First, the realm of a host if no domain_realm entry is found is no longer the uppercase DNS name of the host. Instead it is a special realm that means no realm is available. Most of the code actually treats this vale to mean that the uppercase DNS name should be used. Keytabs however don't. In the keytab case we use the default realm. I think the documentation may also need to mention what happens when the local KDC does support referrals. From rt-comment at krbdev.mit.edu Fri Jan 23 20:54:29 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 01:54:29 +0000 (UTC) Subject: [krbdev.mit.edu #6347] kadmin -keepold documented as not supported for LDAP but appears to work In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/480517 The kadmin man page says that -keepold is not supported for the LDAP database, but it appears to work. Is the documentation out of date compared to the implementation, or is this really dangerous and shouldn't be done? (If the latter, it probably should be disallowed somewhere in the code.) From rt-comment at krbdev.mit.edu Fri Jan 23 21:03:25 2009 From: rt-comment at krbdev.mit.edu (Russ Allbery via RT) Date: Sat, 24 Jan 2009 02:03:25 +0000 (UTC) Subject: [krbdev.mit.edu #6348] kadmin and ktutil installed in sbin, should be bin In-Reply-To: Message-ID: This is Debian bug http://bugs.debian.org/477296 kadmin and ktutil are installed into ADMIN_BINDIR, which generally means sbin. However, sbin is normally intended for binaries that only make sense to be run by the local system administrator as root. The separate directory is used mainly to avoid putting those binaries on the user's path when they can't do anything useful with them. See, for instance: http://www.pathname.com/fhs/pub/fhs-2.3.html#SBINSYSTEMBINARIES Neither kadmin nor ktutil require root privileges on the local system. kadmin may require administrative access to a Kerberos realm, but that's not the same case as the /sbin vs. /bin distinction; the user on the local system running kadmin is generally a normal user. Plus, both binaries are used for manipulating non-system files; kadmin ktremove requires no special access to any network service and is a reasonable thing for an application administrator to do from a non-privileged account. I'd like to move them to /usr/bin in the Debian package, but I don't really want to diverge from the MIT distribution. I think both should be moved to the regular /bin directory by the MIT install process as well. From rt-comment at krbdev.mit.edu Sun Jan 25 11:44:09 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Sun, 25 Jan 2009 16:44:09 +0000 (UTC) Subject: [krbdev.mit.edu #6308] SVN Commit In-Reply-To: Message-ID: Use a struct in_addr to insure alignment of address - instead of random alignment on the stack. Solaris 2.10 has issues if the address is not aligned. The rest of the code in the tree uses a struct in_addr or mallocs the address - which will be sufficiently aligned. http://src.mit.edu/fisheye/changelog/krb5/?cs=21794 Commit By: epeisach Revision: 21794 Changed Files: U trunk/src/tests/resolve/resolve.c From rt-comment at krbdev.mit.edu Mon Jan 26 06:07:58 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Mon, 26 Jan 2009 11:07:58 +0000 (UTC) Subject: [krbdev.mit.edu #6349] lib/rpc tests should not fail if portmap/rpcbind not running In-Reply-To: Message-ID: From rt-comment at krbdev.mit.edu Mon Jan 26 06:09:10 2009 From: rt-comment at krbdev.mit.edu (Ezra Peisach via RT) Date: Mon, 26 Jan 2009 11:09:10 +0000 (UTC) Subject: [krbdev.mit.edu #6349] lib/rpc tests should not fail if portmap/rpcbind not running In-Reply-To: Message-ID: If portmap is not running - or if one cannot register a port w/ rpcbind because we are not using a reserved local port (need to use a socket) - the lib/rpc tests should not blow up and fail. > From rt-comment at krbdev.mit.edu Mon Jan 26 12:59:59 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Mon, 26 Jan 2009 17:59:59 +0000 (UTC) Subject: [krbdev.mit.edu #6350] automated test for replay cache collision avoidance In-Reply-To: Message-ID: Implement an automated test for the replay cache collision avoidance functionality. From rt-comment at krbdev.mit.edu Mon Jan 26 15:02:59 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Mon, 26 Jan 2009 20:02:59 +0000 (UTC) Subject: [krbdev.mit.edu #6351] SVN Commit In-Reply-To: Message-ID: The krb5_c_crypto_length API returns unsigned int per its design. so, use unsigned int not size_t for its output. http://src.mit.edu/fisheye/changelog/krb5/?cs=21799 Commit By: hartmans Revision: 21799 Changed Files: U trunk/src/lib/gssapi/krb5/k5sealv3iov.c From rt-comment at krbdev.mit.edu Tue Jan 27 20:28:31 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Wed, 28 Jan 2009 01:28:31 +0000 (UTC) Subject: [krbdev.mit.edu #6352] SVN Commit In-Reply-To: Message-ID: krb5_c_encrypt sets the kvno of ciphertext to 0. So fill it in after the call to encrypt_tkt_part. http://src.mit.edu/fisheye/changelog/krb5/?cs=21815 Commit By: hartmans Revision: 21815 Changed Files: U trunk/src/kdc/do_tgs_req.c From rt-comment at krbdev.mit.edu Wed Jan 28 18:22:35 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Wed, 28 Jan 2009 23:22:35 +0000 (UTC) Subject: [krbdev.mit.edu #6353] SVN Commit In-Reply-To: Message-ID: Mark all single-DES enctypes as "weak", and create a new libdefaults variable "allow_weak_crypto", which defaults to "false". http://src.mit.edu/fisheye/changelog/krb5/?cs=21823 Commit By: tlyu Revision: 21823 Changed Files: U trunk/src/include/k5-int.h U trunk/src/kadmin/testing/proto/krb5.conf.proto U trunk/src/lib/crypto/etypes.c U trunk/src/lib/crypto/etypes.h U trunk/src/lib/crypto/libk5crypto.exports U trunk/src/lib/crypto/valid_enctype.c U trunk/src/lib/krb5/krb/init_ctx.c U trunk/src/tests/dejagnu/config/default.exp From rt-comment at krbdev.mit.edu Wed Jan 28 21:51:32 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Thu, 29 Jan 2009 02:51:32 +0000 (UTC) Subject: [krbdev.mit.edu #6308] Alignment problem in resolver test In-Reply-To: Message-ID: see also r21820 From rt-comment at krbdev.mit.edu Wed Jan 28 21:50:24 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Thu, 29 Jan 2009 02:50:24 +0000 (UTC) Subject: [krbdev.mit.edu #6351] gss_header|trailerlen should be unsigned int In-Reply-To: Message-ID: Why the cast to size_t? The function prototype should render it unnecessary. From rt-comment at krbdev.mit.edu Thu Jan 29 10:41:41 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Thu, 29 Jan 2009 15:41:41 +0000 (UTC) Subject: [krbdev.mit.edu #6351] gss_header|trailerlen should be unsigned int In-Reply-To: Message-ID: >>>>> "Tom" == Tom Yu via RT writes: Tom> Why the cast to size_t? The function prototype should render Tom> it unnecessary. Reflexiveness from -when Wconversion was enabled. From rt-comment at krbdev.mit.edu Thu Jan 29 14:48:21 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Thu, 29 Jan 2009 19:48:21 +0000 (UTC) Subject: [krbdev.mit.edu #5894] krb5int_arcfour_string_to_key does not support utf-8 strings In-Reply-To: Message-ID: Luke's work has implemented this on a cross-platform basis. From rt-comment at krbdev.mit.edu Fri Jan 30 13:01:10 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 30 Jan 2009 18:01:10 +0000 (UTC) Subject: [krbdev.mit.edu #6299] krb5_stdccv3_remove mem leak In-Reply-To: Message-ID: This patch appears to blow away the value of err from the loop. If, for instance, the specified credential is not found, the function would probably return successfully anyway because it was able to release the iterator. Also, if credentials were successfully removed but the iterator could not be released, cache_changed() should probably still be called. From rt-comment at krbdev.mit.edu Fri Jan 30 18:55:36 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Fri, 30 Jan 2009 23:55:36 +0000 (UTC) Subject: [krbdev.mit.edu #6354] SVN Commit In-Reply-To: Message-ID: Commit for the Master Key Migration Project. http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration This commit provides the ability to add a new master key (with an enctype differing from the current master key) to the master key principal and stash file and then migrate the encryption of existing principals long term keys to use the new master key. In addition deletion of master keys is provided. http://src.mit.edu/fisheye/changelog/krb5/?cs=21844 Commit By: wfiveash Revision: 21844 Changed Files: U trunk/src/include/kdb.h U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/dbutil/Makefile.in U trunk/src/kadmin/dbutil/dump.c U trunk/src/kadmin/dbutil/kdb5_create.c A trunk/src/kadmin/dbutil/kdb5_mkey.c U trunk/src/kadmin/dbutil/kdb5_stash.c U trunk/src/kadmin/dbutil/kdb5_util.M U trunk/src/kadmin/dbutil/kdb5_util.c U trunk/src/kadmin/dbutil/kdb5_util.h U trunk/src/kadmin/server/ovsec_kadmd.c U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/extern.c U trunk/src/kdc/extern.h U trunk/src/kdc/kdc_preauth.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/main.c U trunk/src/lib/kadm5/srv/libkadm5srv.exports U trunk/src/lib/kadm5/srv/server_kdb.c U trunk/src/lib/kadm5/srv/svr_iters.c U trunk/src/lib/kadm5/srv/svr_principal.c U trunk/src/lib/kdb/kdb5.c U trunk/src/lib/kdb/kdb_cpw.c U trunk/src/lib/kdb/kdb_default.c U trunk/src/lib/kdb/keytab.c U trunk/src/lib/kdb/libkdb5.exports U trunk/src/lib/krb5/error_tables/kdb5_err.et U trunk/src/plugins/kdb/db2/db2_exp.c U trunk/src/plugins/kdb/db2/kdb_db2.c U trunk/src/plugins/kdb/db2/kdb_db2.h U trunk/src/plugins/kdb/ldap/ldap_exp.c U trunk/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_xdr.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_fetch_mkey.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.h From rt-comment at krbdev.mit.edu Fri Jan 30 22:57:24 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Sat, 31 Jan 2009 03:57:24 +0000 (UTC) Subject: [krbdev.mit.edu #6353] SVN Commit In-Reply-To: Message-ID: Default allow_weak_crypto=true for now. Default supported_enctypes to exclude single-DES enctypes. http://src.mit.edu/fisheye/changelog/krb5/?cs=21851 Commit By: tlyu Revision: 21851 Changed Files: U trunk/src/include/osconf.hin U trunk/src/lib/kadm5/alt_prof.c U trunk/src/lib/krb5/krb/init_ctx.c From rt-comment at krbdev.mit.edu Fri Jan 30 23:39:38 2009 From: rt-comment at krbdev.mit.edu (Ken Raeburn via RT) Date: Sat, 31 Jan 2009 04:39:38 +0000 (UTC) Subject: [krbdev.mit.edu #6355] SVN Commit In-Reply-To: Message-ID: Change t_inetd to print a ready message when it has started listening on the indicated port number. Look for this message in sample.exp rather than waiting an arbitrary (and usually excessive) 2s each time for the inetd-mode tests. Use run_once to perform the standalone-mode test only once per test suite invocation. Change rsh and rcp tests to start the servers via t_inetd and avoid excessive waiting at startup. In some of my tests, this reduces the tests/dejagnu tests from taking over 6 minutes to taking around 2 minutes. (This does mean the server process will no longer have started up before we launch the client, so it may be slower to respond, but it'll still be faster than the 2s delay we used before even trying to connect.) We can probably eliminate the -D option code from krshd.c now. The tests run as root (rlogin, telnet) still need updating. http://src.mit.edu/fisheye/changelog/krb5/?cs=21855 Commit By: raeburn Revision: 21855 Changed Files: U trunk/src/tests/dejagnu/krb-standalone/rcp.exp U trunk/src/tests/dejagnu/krb-standalone/rsh.exp U trunk/src/tests/dejagnu/krb-standalone/sample.exp U trunk/src/tests/dejagnu/t_inetd.c