To speed up tests/gss/check-gssmask we need to remove the `sleep 10`
found there, and to do that we need to make the gssmask daemons use
roken_detach_prep()/roken_detach_finish(), and to do that we need to
split up mini_inetd_addrinfo().
This commit authored by Claude with human guidance and review.
as of autoconf 2.72 neither ac_cv_sys_large_files nor
ac_cv_sys_file_offset_bits are populated. 1b57b62 introduced a
workaround just for ac_cv_sys_file_offset_bits by checking if it's not
empty.
expand fix to cover ac_cv_sys_large_files as well and check
ac_cv_sys_largefile_opts which is populated in autoconf 2.72 [1]
1. https://git.savannah.gnu.org/cgit/autoconf.git/commit/?id=cf09f48841b66fe76f606dd6018bb3a93242a7c9
Windows clients forget GSS_C_MUTUAL_FLAG in some situations where they
use GSS_C_DCE_STYLE, in the assumption that GSS_C_MUTUAL_FLAG is
implied.
Both Windows and MIT as server already imply GSS_C_MUTUAL_FLAG
when GSS_C_DCE_STYLE is used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15740
Signed-off-by: Stefan Metzmacher <metze@samba.org>
4c34168b01 ("base: Fix use of
HEIM_USE_PATH_TOKENS") relocated the expansion of path tokens
within heim_config_parse_file_multi() so it is only performed
for non-plist files. However, parse_plist_config() does not
understand tokens and will treat them as path components. As
a result, plist paths such as
%{USERCONFIG}/Library/Preferences/com.apple.Kerberos.plist
will not be expanded. If parse_plist_config() fails with ENOENT,
then the plist configuration will be skipped and krb5_init_context()
will succeed. However, if the current working directory is invalid,
then parse_plist_config() would return ENOMEM which is a fatal
error and krb5_init_context() would fail.
For example, on macOS, if the cwd is in /afs and the user's
tokens have expired:
user@MacBookAir user % ~/src/heimdal/kuser/heimtools klist
shell-init: error retrieving current directory:
getcwd: cannot access parent directories: Permission denied
chdir: error retrieving current directory:
getcwd: cannot access parent directories: Permission denied
heimtools: krb5_init_context failed: 12
With this change %{USERCONFIG} is expanded and parse_plist_config()
is called with an absolute path. Even though the specified file
is inaccessible, the krb5_init_context() call succeeds.
If parse_plist_config() is called with a non-absolute path which
is defined as a path whose first character is not '/', then
CFReadStreamCreateWithFile() must determine the current working
directory in order to return a CFURLRef to an absolute path.
If getcwd() fails, then CFReadStreamCreateWithFile() returns
NULL.
Instead of unconditionally returning ENOMEM when NULL is returned,
check if the path is non-absolute and call getcwd(). If getcwd()
fails, return errno. Otherwise, return ENOMEM. This permits
ENOENT (a component of the pathname no longer exists) or EACCES
(read or search permission was denied for a component of the
pathname) to be returned as the reason.
ENOMEM is a fatal error when constructing the configuration for
krb5_init_context() whereas ENOENT and EACCES are not fatal.
Without this patch on macOS, if the cwd is in /afs and the user's
tokens have expired, then krb5_init_context() fails with ENOMEM (12).
user@MacBookAir user % ~/src/heimdal/kuser/heimtools klist
shell-init: error retrieving current directory: \
getcwd: cannot access parent directories: Permission denied
chdir: error retrieving current directory: \
getcwd: cannot access parent directories: Permission denied
heimtools: krb5_init_context failed: 12
With this change krb5_init_context() succeeds.
When building for Apple operating systems rk_dns_lookup() must
use dns_search() instead of res_search(). Although res_search()
is available, it only issues queries using the /etc/resolv.conf
configuration. Whereas dns_search() will issue the query against
alternate resolver configurations such as those created by VPN
services.
Cherry picked from libtommath 7bbc1f8e4fe6dce75055957645117180768efb15.
Vulnerability Detail:
CVE Identifier: CVE-2023-36328
Description: Integer Overflow vulnerability in mp_grow in libtom
libtommath before commit beba892bc0d4e4ded4d667ab1d2a94f4d75109a9,
allows attackers to execute arbitrary code and cause a denial of
service (DoS).
Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-36328
Reported-by: https://github.com/Crispy-fried-chicken
MIT commit d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5 implemented
krb5_cc_remove_cred() for FILE ccaches by setting endtime to zero
and authtime to minus one and then filtering out those credentials
from get_next().
This change sets "authtime = -1" for the removed cred to permit
MIT krb5 to ignore removed credentials from a shared FILE ccache.
MIT commit 4c0838bb4c232866b95c9f2f72a55bf77cfc1308 modified the
cred_removed() check to restore compatibility with Heimdal.
commit a9bd3c6e50 ("Fix racy file ccache
corruption in cred_delete()") implemented krb5_cc_remove_cred() for
"FILE" ccaches by overwriting the removed credential endtime value
with zero (Unix Epoch). However, it did not modify fcc_get_next()
to filter out these deleted entries. As a result, invalid credentials
can be returned from the FILE ccache where endtime < starttime.
RFC4120 requires endtime >= starttime for all tickets.
MIT Kerberos since d3b39a8bac6206b5ea78b0bf6a2958c1df0b0dd5
("Implement krb5_cc_remove_cred for remaining types") modifies a
removed cred by setting
endtime = 0
authtime = -1
and then filters out removed creds from the fcc_next_cred() results.
In 2013 Heimdal broke interop with MIT processes that share the
FILE ccache by implementing remove by setting "endtime = 0" and
now MIT has broken interop with the Heimdal implementation of
fcc_remove_cred() by checking for both "endtime = 0" and "authtime = -1".
This change filters results from fcc_get_next() when the "endtime == 0"
which is acceptable because a KDC is not permitted to return a
ticket with an endtime == 0.
The 'restrict' keyword was introduced in C99 and provides a hint to
the compiler that can be used to better optimized code. The 'restrict'
keyword results in build failures when the compiler is not C99.
auditdns.c:101:37: error: expected ‘;’, ‘,’ or ‘)’ before ‘hints’
const struct addrinfo *restrict hints,
^
auditdns.c:409:45: error: expected ‘;’, ‘,’ or ‘)’ before ‘sa’
getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
^
This change defines 'register' to nothing if the compiler does not
implement the C99 standard.
Observed with gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44).
If crypt() is unavailable then DES_AFS3_string_to_key() cannot be
implemented for passwords up to 8 characters in length. Do not
advertise support for "afs3-salt" when crypt() is missing.
The callers of this macro generally do not supply this information.
Without it, the checks rely on compiler support for implicit function
declarations. It would be possible to supply this information in
the callers. But even then, with the existing macro interface, it
would be necessary to pass eg. null pointers where they trigger
undefined behavior. Therefore, use the same kludge that autoconf
uses to make up prototypes, avoiding those implicit function
declarations.
The includes/arguments macro parameters are now ignored, but preserved
for interface compatibility.
This ensures we inherit the clock skew adjustment from the AS-REQ/REP into the
memory ccache in a similar way done for the file ccache.
This means krb5_cc_get_kdc_offset() will return the correct value and
_krb5_get_cred_kdc_any() uses the adjusted time in the authenticator of
subsequent TGS-REQ.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
At least Windows KDCs return KRB5KRB_AP_ERR_SKEW without edata in
response to TGS-REQ.
This ensures the callers see the KRB5KRB_AP_ERR_SKEW error and not
KRB5_KDCREP_MODIFIED "FAST fast response is missing FX-FAST".
For the response to an amored AS-REQ, we'll now return
KRB5KRB_AP_ERR_MODIFIED instead of KRB5_KDCREP_MODIFIED,
but if there's an attack the exact error code doesn't matter.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15676
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Sequence errors are supplemental information in GSSAPI. This means
that they are not fatal, unless they are returned alongside a failure
error code. This change makes our behaviour the same as MIT's - sequence
errors are non-fatal, and return valid output information.
commit 4d48b172ab ("add pkinit
configration for btmm") introduced automatic configuration of
the 'pkinit_kdc_identity' and 'pkinit_kdc_friendly_name' on macOS
but also modified the default for the 'enable_pkinit' setting
such that pkinit is enabled on all __APPLE__ platforms overriding
the [kdc] enable-pkinit setting obtained from the configuration.
This change modifies the enable-pkinit behavior on __APPLE__ platforms
to match those on every other platform. __APPLE__ platforms will
continue to auto-configure the [kdc] pkinit_identity and
[kdc] pkinit_anchors if they are not specified in the configuration.
