The default client principal for krb5_set_password, if the
principal argument were NULL, was krb5_get_default_principal. But
krb5_set_password requires credentials for the password change service
be passed in, and those credentials are already associated with a
client principal that's much more likely to be the correct choice for
a default. Use that principal instead of krb5_get_default_principal.
If the hostname was already set, a typo in a test meant we were not
freeing it. While we're at it, handle the unlikely possibility that
the existing pointer is passed as the new value.
On Debian stretch systems PAM modules linked against Heimdal run into
symbol conflicts with parse_time() in systemd libraries. We redefine
parse_time() and friends to rk_parse_time(), ... while keeping the old
names for ABI compatibility with existing clients.
The legacy names should eventually be droppped.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
Change-Id: I45ef61e8a46e0f6588d64b5bd572a24c7432547c
Unlike the ccache, we can't lock less because of the way in which keytab
entries are removed: by negating their length. Also unlike ccaches, we
hold locks across the entirety of keytab iteration.
Use stdio. Don't lock to read -- we only ever rename new ccaches into
place, or overwrite endtimes to delete entries, or overwrite part of the
realm name of cc config entries.
Dropping locks around ccache iterator stepping strongly implied that we
don't expect truncation, that we only expect appends (and the
overwriting done to delete entries).
Don't unlock -- let close(2) do it, thus making fewer system calls.
The ASN.1 functions copy_Realm(), copy_PrincipalName() and
copy_EncryptionKey() can fail. Check the return and perform error
handling as appropriate.
Change-Id: I2b3629d19db96eb41d1cd554cef1dca99745e753
When comparing the first component of a multi-component
string that uses a field separator (e.g., '/' or ':'), be sure
to include the separator in the comparison to ensure that the
comparison does not succeed due to a prefix match.
Change-Id: Ieec3e73cb015a83bb652ec11cd7d83e57755c3d2
Fix the numeric error value comparison performed by error_cmp().
Identified by AppChecker and previously fixed by Darwin.
Change-Id: I0a72fd381bef0b34b7e7d155bfff03ab4196d38e
if defined(HAVE_GETAUXVAL) && !defined(GETAUXVAL_SETS_ERRNO) the
stack variable declaration for 'a' is missing:
const auxv_t *a
Declare 'a' so that Heimdal can build again.
Change-Id: If64dd497f240688b76f3dd6139ac68c2ff149a0e
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
When the cred passed krb5_build_ap_req() has a different name for the actual
ticket (e.g., because the entry came from a ccache with an alias name as the
entry name) then we were putting a Ticket on the wire with the name from the
cred rather than from the Ticket in the cred. We don't think this is intended
or desirable. The server should see the Ticket _exactly_ as minted by the KDC.
Perhaps AP-REQ should have used an OCTET STRING to contain the Ticket given that
Ticket is a PDU, which would make a byte-for-byte copy trivial, but as it is it
uses Ticket instead. Therefore this commit has it decode the Ticket from the
cred and then C struct assign that value to the AP-REP's ticket field -- this
then copies the Ticket as exactly as vended.
