Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials. In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:
ssh_gssapi_accept_ctx() ->
ssh_gssapi_getclient() ->
gss_inquire_cred_by_mech()
When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
Add an implementation of memset_s to roken.
Some optimising compilers may remove the memset() instruction when it
is used immediately before a free, which defeats its purpose if the
intention is to zero memory before returning it to the heap or stack.
C11 added memset_s, provide a fallback in roken so that memset_s can
be used on all platforms.
Previously getenv("KRB5_KTNAME") happened in
init_context_from_config_file()
which would capture the environment value as an override without
using strdup() to get a private copy, so it would get trashed in
applications that dynamically update the environment (e.g. Perl
code that has a tied %ENV).
The patch delays getenv("KRB5_KTNAME") until the context's value
of default_keytab is actually needed, and the environment can preempt
the context's default at that time.
[ Do we need to worry about issuid() being true initially when the
context is created, but not later, because the application changes
both the real and effective uid? If so the issuid() state should
be saved when the context is created and the saved value queried. ]
On any OS with a properly implemented getaddrinfo() this change is a
no-op. Passing NULL for the hint is supposed to be the same as an
addrinfo structure with all fields set to 0. There is no need to set
ai_family to AF_UNSPEC because that value is already 0.
GNU libc doesn't follow standard behaviour. Quoting from
http://man7.org/linux/man-pages/man3/getaddrinfo.3.html :
"Specifying hints as NULL is equivalent to setting ai_socktype and
ai_protocol to 0; ai_family to AF_UNSPEC; and ai_flags to
(AI_V4MAPPED | AI_ADDRCONFIG). (POSIX specifies different defaults for
ai_flags; see NOTES.)"
The NOTES section says:
"According to POSIX.1-2001, specifying hints as NULL should cause
ai_flags to be assumed as 0. The GNU C library instead assumes a value
of (AI_V4MAPPED | AI_ADDRCONFIG) for this case, since this value is
considered an improvement on the specification."
The patch makes sure that krb5_parse_address works consistently on both
GNU libc and systems that follow POSIX.1-2001 to the letter. Some
incorrect Fedora 17 patches managed to break IPv6 connectivity and were
later backed out (see discussion at https://bugzilla.redhat.com/808147).
This patch resolves the incompatibility.
Signed-off-by: Ken Dreyer <ktdreyer@ktdreyer.com>
Commit ad7e54d698 introduced the use
of _krb5_expand_path_tokens() to expand tokens (and on Windows convert
path delimiters) within credential cache names. This is safe to do
for the path based credential cache types FILE, DIR and SCC but on
Windows is unsafe for the non-path types.
For example on Windows, the API credential cache names are often based
on the principal name and the principal name is parsed from the ccname.
This practice was introduced with the version v2 ccapi when there was
no method of enumerating the caches from the krb5 library.
This change adds a "filepath" boolean parameter to _krb5_expand_path_tokens()
which is set to TRUE (non-zero) when the input is a file path and FALSE
(zero) when the input is not a file path. _krb5_expand_path_tokens() will
only perform directory separator normalization on Windows when the
"filepath" parameter is TRUE.
This change is not the preferred solution because it requires that the
library be aware of all credential cache types that use path based
residuals. The preferred solution would require that the credential cache
implementation indicate whether or not it uses a path based residual.
This change has been implemented using a prefix test and not a change to
struct krb5_cc_ops because existing ccache plugins will not know how to
advertise their use of path based residuals and that path expansion is
safe.
Change-Id: I8135991e8ce69fc5273d381ea9c2078bc2bcd19a
_hc_CryptProvider() returns a global handle to a Win32 Crypt Provider.
If the global handle is NULL, then a handle is allocated. Unfortunately,
due to a coding mistake the global handle variable, g_cryptprovider, was
never set and a new handle was allocated with each call.
Refactor the function to ensure that the global handle is the value
that is returned. Use NULL instead of 0 for pointer assignment.
Change-Id: If1ef3aa19cbd1d51860370db24c086e86922ff0d
Add support for the "rxkad-kdf" protocol for deriving rxkad session keys
from non-DES Kerberos session keys. This allows rxkad to be used in
realms where the KDC is unwilling or unable to issue tickets with
single-DES session keys.
The KDC Option and Ticket Flag for the anonymous extension were changed
from 14 to 16 due to a conflict with S4U2Proxy in version 11 of the anonymous
draft (now RFC6112). Fix the definitions
A comparison of (len > len + 1) is permitted to be optimized out
as dead code because it can't be true. Overflowing is an exceptional
condition that results in undefined behavior. The correct conditional
is (len == SIZE_MAX) when len is size_t.
Change-Id: Ia5586556a973d9fa5228430c4304ea9792c996bb
Now that test_fx checks 1DES keys, we need to call allow_weak_crypto on
the test's context.
Without this fix, "make check" was failing with the following error:
lt-test_fx: krb5_crypto_init: Encryption type des-cbc-crc not
supported
The hdb_ldap_create and hdb_ldapi_create prototypes use the "static"
keyword, but the functions themselves are not implemented as static.
Heimdal's buildsystem dynamically adds function declarations to
hdb-protos.h based on the actual function implementations. Those
declarations in hdb-protos.h are not declared as static.
Since the build system generates the declarations dynamically, just
remove them from hdb-ldap.c.
When we added the get-keys privilege we lost the ability to setup
keytabs with the kadmin ext command. The fix is to note that we got
bogus key data and randkey (as we used to).
(rebased on current Heimdal by abartlet)
The error Coverity complains about is in the malloc. krb5_enctypes is
an enum, so it is usually smaller than the size of a pointer. So we
overallocate, but in the memcpy further down we copy from potentially
invalid memory.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed Nov 13 11:05:44 CET 2013 on sn-devel-104
In the error case without EXTRA_ADDRESSES we access ignore_addresses
without initialization
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This makes sure config.h gets includes first.
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jun 17 16:16:24 CEST 2012 on sn-devel-104
This should fix the build on AIX.
metze
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sat Jun 16 23:59:07 CEST 2012 on sn-devel-104
