Zero out the DES_cblock structure instead of the (not yet used at this point
in the function) key schedule. The contents could potentially be left
on the stack in the case of an error return from _gssapi_verify_pad().
We generally clear out the cryptographic key and key schedule from
local variables before relinquishing control flow, but this case was
missed. Reported by jhb@FreeBSD.org.
The iovec encryption code doesn't handle 0 length iovecs correctly.
Instead of just skipping them, _krb5_evp_encrypt_iov_cts() will spin
on the 0 length iovec.
Modify the _krb5_evp_iov_cursor_expand helper so that iovec expansion
simply skips 0 length iovecs, and make _krb5_evp_iov_cursor_nextcrypt
do the same.
Original bug report and tests from Andrew Bartlett <abartlet@samba.org>
Treat principals of type NT-UNKNOWN as NT-SRV-HST if the first component
of the principal name is "host".
Change-Id: I28fb619379daac827436040e701d4ab7b279852b
gsskrb5_acceptor_start() was making a copy of the global pointer
_gsskrb5_keytab to use later. This invites a race condition where
another thread could call gsskrb5_register_acceptor_identity()
(thus invalidating the target of the copied pointer) before it is
used by gsskrb5_acceptor_start().
So instead, clone the keytab to a new one while protected by the
mutex lock (similar to get_keytab() in acquire_cred.c).
Signed-off-by: Nicolas Williams <nico@twosigma.com>
This adds a new backend for libhcrypto: the OpenSSL backend.
Now libhcrypto has these backends:
- hcrypto itself (i.e., the algorithms coded in lib/hcrypto)
- Common Crypto (OS X)
- PKCS#11 (specifically for Solaris, but not Solaris-specific)
- Windows CNG (Windows)
- OpenSSL (generic)
The ./configure --with-openssl=... option no longer disables the use of
hcrypto. Instead it enables the use of OpenSSL as a (and the default)
backend in libhcrypto. The libhcrypto framework is now always used.
OpenSSL should no longer be used directly within Heimdal, except in the
OpenSSL hcrypto backend itself, and files where elliptic curve (EC)
crypto is needed.
Because libhcrypto's EC support is incomplete, we can only use OpenSSL
for EC. Currently that means separating all EC-using code so that it
does not use hcrypto, thus the libhx509/hxtool and PKINIT EC code has
been moved out of the files it used to be in.
Make memcmp() compare the name1 and name2 value instead of comparing
name1 with itself.
The memcmp() is only executed if the left-hand side of the || is false
i.e. when both length are equal so the length argument is correct (no out-of-bounds reads).
restore correct OID for GSS_C_PEER_HAS_UPDATED_SPNEGO, this should have no
ABI implications, it's for internal use only. The current OID was incorrectly
copied in commit dbeeb18a, it should belong to 1.3.6.1.4.1.5322.19 which is
... enterprise(1) padl(5322) gssKrb5Extensions(19). The OID we were camping
on belongs to another party.
This is generated from lib/gssapi/oid.txt using lib/gssapi/gen-oid.pl,
which sorts the entries to ensure minimal diff churn when an oid is
added or changed.
The lack of effective changes can be seen by sorting both versions, a
bit like this:
$ git show HEAD~~:lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-OLD
$ cat lib/gssapi/mech/gss_oid.c | sort > /tmp/gss_oid.c-NEW
$ diff -u /tmp/gss_oid.c*
$ #Nothing to see!
This is of course not a reliable check in general, but works for this
simple file in concert with ordinary inspection.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
As seen in commit cc47c8fa7 (Roland C. Dowdeswell <elric@imrryr.org>,
"Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix
issues"), compilers can be persuaded to dislike a single {NULL} and
prefer {NULL, NULL, NULL, NULL}. That patch altered the C code
directly; here we change the generating file to match.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
These missed out on the rk_UNCONST()ification by virtue of being added
in a parallel branch. In the diagram below, they got added in 02cf28e,
while the rk_UNCONSTs were added in f5f9014.
* cc47c8f Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.
* 3069d80 Merge branch 'master' into lukeh/acquire-cred-ex
|\
| * f5f9014 Warning fixes from Christos Zoulas
* | 02cf28e implement gss_acquire_cred_ex with password support
|/
* 2170219 add more oids
rk_UNCONST amounts to a cast to (void *), removing const.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
The invocation `require "getopts.pl"; Getopts(...)` works in Perl 4,
but not in recent Perl 5.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Some non-GSSAPI implementations that instead try to create compatible packets by wrapping krb5_mk_req()
can trigger a NULL authenticator here. Assume this to be equvilent to specifying an all-zero
channel bindings and some reasonable (fixed) flags.
Original patch by Andrew Bartlett, restructured by Douglas Bagnall
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>