On Windows if the compiler and C RTL is >= 1400 then the rand_s()
function is available. rand_s() unlike rand() makes use of the
RtlGenRandom() API to produce a random number between 0 and UINT_MAX.
If rand_s() is not available or fails, fallback to rand().
One of the benefits of rand_s() is that no initialization is required
so it will provide random output even if rk_random_init() is not called.
Change-Id: I2768155de744bd49604fc8237728bb205d637f2a
gss_add_cred() with GSS_C_NO_CREDENTIAL as the input_cred_handle should
act like gss_acquire_cred() with desired_mechs containing just the
desired_mech.
Tests that start daemons have to "wait" for them to start.
This commit makes Heimdal daemons prep to detach (when requested) by
forking early, then having the child signal readiness to the parent when
the child really is ready. The parent exits only which the child is
ready. This means that tests will no longer need to wait for daemons.
However, tests will still need a pidfile or such so they can stop the
daemons.
Note that the --detach options should not be used on OS X from launchd,
only from tests.
Modify the NTMakefile rules for tests so that a failed test does
not prevent subsequent tests from being executed.
Change-Id: I9595ad4a1527feae7c402241bf06ab21a0b76d4a
The library delay loads bcrypt.dll so that it can run on versions of
Windows older than Vista. Remove the compile time checks.
Change-Id: I632b248dcca8b6e40e47011fc11d277e911ff209
kadmin should not permit a modify that stores invalid keys into the
database. Accepting bad key data into the database will result in
errors when those keys are eventually used.
This change does not address the general case. It does address the
specific case of the kadmin client attempting to store the magic
bogus key since that is trivial to check for and can be unintentionally
returned to kadmind by a 1.6rc2 or prior client. This can happen when
a user has get privilege but lacks the new get-keys privilege.
Change-Id: I44795e6428472b75ab1e4257ce7cb9160f0299f5
Introduce kadm5_all_keys_are_bogus() and kadm5_some_keys_are_bogus()
which will be used in later changes.
Change-Id: I3a07ffe07bee7d6eb17c3d2eae91c107e0bac255
krb5_get_credentials_with_flags() and krb5_get_creds() do not store
obtained TGTs if the KRB5_GC_NO_STORE flag is set.
Change-Id: Ie999ec4e985463ff60e9d499c3e870880033dfa7
In get_cred_kdc_capath_worker() if the credentials obtained by
get_cred_kdc_address() does not exactly match the requested service
principal discard them and return KRB5KC_ERR_S_PRINCIPAL_UNKNOWN.
Change-Id: Iaeacd07f87374f64e3a7bb860adfeb2dc9550fd1
Prior to this change _krb5_get_cred_kdc_any() would include TGTs obtained
via KDC referrals in the "*ret_tgts" array returned to the caller. The
caller typically stores these TGTs in the active credential cache.
However, referrals TGTs must not be cached or reused for any request
beyond the one it was issued for. The referral is for a specific service
principal and the resulting TGT could include service specific AuthData.
The referral might also direct the client along a transitive path that
is specific to this service and not applicable in the general case.
This change removes the *ret_tgts parameter from get_cred_kdc_referral()
so that the obtained TGTs are never returned to its caller. This also
prevents these TGTs from being used by any subsequent call to
get_cred_kdc_capath().
Change-Id: Iacc76c5b1639af3cf6bf277966cfd1535dd1e84d
Prior to this change hdb_unseal_keys_kvno() could return successfully (0)
if the choice_HDB_extension_data_hist_keys extension was found but the
hist_keys list was empty. As a side effect callers would believe that the
provide hdb_entry keys were unsealed when they weren't. This could cause
the KDC or kadmin to report invalid key size errors.
If the extension is present and the history list is empty attempt to
unseal the provided hdb_entry using hdb_unseal_keys_mkey().
Change-Id: I9218b02bccdbcf22133a9464a677374db53ade85
In gsskrb5_accept_delegated_token() it is wrong to store the delegated
credentials in the default ccache by default. When the caller does not
provide a target credential handle, we just do nothing and return success.
Test the return value of gsskrb5_accept_delegated_token() against
GSS_S_COMPLETE, rather than 0.
Delegated or other explicit credentials were mishandled, the code only
worked correctly when processing default credentials. In particular
this caused root's default credential cache to be accessed when accepting
delegated credentials in SSH:
ssh_gssapi_accept_ctx() ->
ssh_gssapi_getclient() ->
gss_inquire_cred_by_mech()
When /tmp/krb5cc_0 contained expired tickets, cascaded credentials
stopped working for non-root users!
Add an implementation of memset_s to roken.
Some optimising compilers may remove the memset() instruction when it
is used immediately before a free, which defeats its purpose if the
intention is to zero memory before returning it to the heap or stack.
C11 added memset_s, provide a fallback in roken so that memset_s can
be used on all platforms.
Previously getenv("KRB5_KTNAME") happened in
init_context_from_config_file()
which would capture the environment value as an override without
using strdup() to get a private copy, so it would get trashed in
applications that dynamically update the environment (e.g. Perl
code that has a tied %ENV).
The patch delays getenv("KRB5_KTNAME") until the context's value
of default_keytab is actually needed, and the environment can preempt
the context's default at that time.
[ Do we need to worry about issuid() being true initially when the
context is created, but not later, because the application changes
both the real and effective uid? If so the issuid() state should
be saved when the context is created and the saved value queried. ]
On any OS with a properly implemented getaddrinfo() this change is a
no-op. Passing NULL for the hint is supposed to be the same as an
addrinfo structure with all fields set to 0. There is no need to set
ai_family to AF_UNSPEC because that value is already 0.
GNU libc doesn't follow standard behaviour. Quoting from
http://man7.org/linux/man-pages/man3/getaddrinfo.3.html :
"Specifying hints as NULL is equivalent to setting ai_socktype and
ai_protocol to 0; ai_family to AF_UNSPEC; and ai_flags to
(AI_V4MAPPED | AI_ADDRCONFIG). (POSIX specifies different defaults for
ai_flags; see NOTES.)"
The NOTES section says:
"According to POSIX.1-2001, specifying hints as NULL should cause
ai_flags to be assumed as 0. The GNU C library instead assumes a value
of (AI_V4MAPPED | AI_ADDRCONFIG) for this case, since this value is
considered an improvement on the specification."
The patch makes sure that krb5_parse_address works consistently on both
GNU libc and systems that follow POSIX.1-2001 to the letter. Some
incorrect Fedora 17 patches managed to break IPv6 connectivity and were
later backed out (see discussion at https://bugzilla.redhat.com/808147).
This patch resolves the incompatibility.
Signed-off-by: Ken Dreyer <ktdreyer@ktdreyer.com>
Commit ad7e54d698 introduced the use
of _krb5_expand_path_tokens() to expand tokens (and on Windows convert
path delimiters) within credential cache names. This is safe to do
for the path based credential cache types FILE, DIR and SCC but on
Windows is unsafe for the non-path types.
For example on Windows, the API credential cache names are often based
on the principal name and the principal name is parsed from the ccname.
This practice was introduced with the version v2 ccapi when there was
no method of enumerating the caches from the krb5 library.
This change adds a "filepath" boolean parameter to _krb5_expand_path_tokens()
which is set to TRUE (non-zero) when the input is a file path and FALSE
(zero) when the input is not a file path. _krb5_expand_path_tokens() will
only perform directory separator normalization on Windows when the
"filepath" parameter is TRUE.
This change is not the preferred solution because it requires that the
library be aware of all credential cache types that use path based
residuals. The preferred solution would require that the credential cache
implementation indicate whether or not it uses a path based residual.
This change has been implemented using a prefix test and not a change to
struct krb5_cc_ops because existing ccache plugins will not know how to
advertise their use of path based residuals and that path expansion is
safe.
Change-Id: I8135991e8ce69fc5273d381ea9c2078bc2bcd19a
_hc_CryptProvider() returns a global handle to a Win32 Crypt Provider.
If the global handle is NULL, then a handle is allocated. Unfortunately,
due to a coding mistake the global handle variable, g_cryptprovider, was
never set and a new handle was allocated with each call.
Refactor the function to ensure that the global handle is the value
that is returned. Use NULL instead of 0 for pointer assignment.
Change-Id: If1ef3aa19cbd1d51860370db24c086e86922ff0d
