Subject: lib/19191: using gssapi when krb5 not configured cores.
To: None <gnats-bugs@gnats.netbsd.org>
From: None <elric@imrryr.org>
List: netbsd-bugs
Date: 11/28/2002 02:51:06
>Number: 19191
>Category: lib
>Synopsis: using gssapi when krb5 not configured cores.
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Nov 27 23:52:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: Roland Dowdeswell
>Release: NetBSD 1.6_BETA1
>Organization:
The Fall of Imrryr.
>Environment:
System: NetBSD arioch.imrryr.org 1.6_BETA1 NetBSD 1.6_BETA1 (ARIOCH) #0: Fri Jun 28 12:36:20 EDT 2002 elric@arioch.imrryr.org:/usr/src/sys/arch/alpha/compile/ARIOCH alpha
Architecture: alpha
Machine: alpha
>Description:
If you use gssapi while krb5 is not configured, your program
will core dump. The examples that I've seen are imap-iw,
mutt and so on. I worked around the problem in imap-uw by
re-ordering the routine that determines if gssapi support
is present, but this is not a long term solution.
>How-To-Repeat:
build cyrus-sasl w/ GSSAPI support. build something that
uses it. run it. note the core dump.
>Fix:
The code in libgssapi does not check the return codes of
krb5_init_context(3). Fixing it to return errors very
early if krb5 is not configured solves this issue. Please
see attached diff. It appears to work on my machine with
the 5 minutes of testing that I've done so far. I'll test
it a bit more and if it is decided that this a decent
approach then I will check it in.
Index: accept_sec_context.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/accept_sec_context.c,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 accept_sec_context.c
--- accept_sec_context.c 2002/09/12 12:41:40 1.1.1.6
+++ accept_sec_context.c 2002/11/28 07:40:44
@@ -44,9 +44,7 @@
krb5_error_code ret;
char *p;
- ret = gssapi_krb5_init();
- if(ret)
- return GSS_S_FAILURE;
+ GSSAPI_KRB5_INIT();
if(gssapi_krb5_keytab != NULL) {
krb5_kt_close(gssapi_krb5_context, gssapi_krb5_keytab);
@@ -88,7 +86,9 @@
OM_uint32 minor;
ret = 0;
- gssapi_krb5_init ();
+ kret = gssapi_krb5_init ();
+ if (kret)
+ return GSS_S_FAILURE;
krb5_data_zero (&fwd_data);
output_token->length = 0;
Index: acquire_cred.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/acquire_cred.c,v
retrieving revision 1.8
diff -u -r1.8 acquire_cred.c
--- acquire_cred.c 2002/09/12 13:19:07 1.8
+++ acquire_cred.c 2002/11/28 07:40:44
@@ -196,7 +196,7 @@
gss_cred_id_t handle;
OM_uint32 ret;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
*minor_status = 0;
handle = (gss_cred_id_t)malloc(sizeof(*handle));
Index: compare_name.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/compare_name.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 compare_name.c
--- compare_name.c 2002/09/12 12:41:40 1.1.1.3
+++ compare_name.c 2002/11/28 07:40:44
@@ -43,7 +43,8 @@
int * name_equal
)
{
- gssapi_krb5_init ();
+
+ GSSAPI_KRB5_INIT_MS(minor_status);
*name_equal = krb5_principal_compare (gssapi_krb5_context,
name1, name2);
return GSS_S_COMPLETE;
Index: context_time.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/context_time.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 context_time.c
--- context_time.c 2002/09/12 12:41:40 1.1.1.4
+++ context_time.c 2002/11/28 07:40:44
@@ -47,7 +47,7 @@
krb5_error_code kret;
krb5_timestamp timeret;
- gssapi_krb5_init();
+ GSSAPI_KRB5_INIT_MS(minor_status);
ret = gss_inquire_context(minor_status, context_handle,
NULL, NULL, &lifetime, NULL, NULL, NULL, NULL);
Index: delete_sec_context.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/delete_sec_context.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 delete_sec_context.c
--- delete_sec_context.c 2002/09/12 12:41:40 1.1.1.4
+++ delete_sec_context.c 2002/11/28 07:40:44
@@ -42,7 +42,8 @@
gss_buffer_t output_token
)
{
- gssapi_krb5_init ();
+
+ GSSAPI_KRB5_INIT_MS(minor_status);
if (output_token) {
output_token->length = 0;
Index: display_name.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/display_name.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 display_name.c
--- display_name.c 2002/09/12 12:41:40 1.1.1.4
+++ display_name.c 2002/11/28 07:40:44
@@ -47,7 +47,8 @@
char *buf;
size_t len;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
+
kret = krb5_unparse_name (gssapi_krb5_context,
input_name,
&buf);
Index: display_status.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/display_status.c,v
retrieving revision 1.1.1.5
diff -u -r1.1.1.5 display_status.c
--- display_status.c 2002/09/12 12:41:40 1.1.1.5
+++ display_status.c 2002/11/28 07:40:44
@@ -118,7 +118,7 @@
{
char *buf;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
*minor_status = 0;
Index: duplicate_name.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/duplicate_name.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 duplicate_name.c
--- duplicate_name.c 2002/09/12 12:41:40 1.1.1.4
+++ duplicate_name.c 2002/11/28 07:40:44
@@ -44,7 +44,7 @@
{
krb5_error_code kret;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
kret = krb5_copy_principal (gssapi_krb5_context,
src_name,
Index: export_sec_context.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/export_sec_context.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 export_sec_context.c
--- export_sec_context.c 2002/09/12 12:41:40 1.1.1.4
+++ export_sec_context.c 2002/11/28 07:40:44
@@ -52,7 +52,7 @@
OM_uint32 minor;
krb5_error_code kret;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
if (!((*context_handle)->flags & GSS_C_TRANS_FLAG))
return GSS_S_UNAVAILABLE;
Index: gssapi_locl.h
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/gssapi_locl.h,v
retrieving revision 1.1.1.6
diff -u -r1.1.1.6 gssapi_locl.h
--- gssapi_locl.h 2002/09/12 12:41:40 1.1.1.6
+++ gssapi_locl.h 2002/11/28 07:40:44
@@ -51,6 +51,27 @@
krb5_error_code gssapi_krb5_init (void);
+/*
+ * we define this as a macro since it must be able to return from the
+ * calling function. It is passed either a ptr to ``minor status'' or NULL.
+ */
+
+#define GSSAPI_KRB5_INIT() do { \
+ if (gssapi_krb5_init()) \
+ return GSS_S_FAILURE; \
+ } while (0);
+
+#define GSSAPI_KRB5_INIT_MS(_ms) do { \
+ krb5_error_code kret; \
+ \
+ kret = gssapi_krb5_init(); \
+ if (kret) { \
+ if (_ms) \
+ *_ms = kret; \
+ return GSS_S_FAILURE; \
+ } \
+ } while (0);
+
OM_uint32
gssapi_krb5_create_8003_checksum (
OM_uint32 *minor_status,
Index: import_name.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/import_name.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 import_name.c
--- import_name.c 2002/09/12 12:41:40 1.1.1.4
+++ import_name.c 2002/11/28 07:40:44
@@ -143,7 +143,7 @@
gss_name_t * output_name
)
{
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
if (oid_equal(input_name_type, GSS_C_NT_HOSTBASED_SERVICE))
return import_hostbased_name (minor_status,
Index: import_sec_context.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/import_sec_context.c,v
retrieving revision 1.1.1.4
diff -u -r1.1.1.4 import_sec_context.c
--- import_sec_context.c 2002/09/12 12:41:40 1.1.1.4
+++ import_sec_context.c 2002/11/28 07:40:45
@@ -56,7 +56,7 @@
int32_t flags;
OM_uint32 minor;
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
sp = krb5_storage_from_mem (interprocess_token->value,
interprocess_token->length);
Index: init_sec_context.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/init_sec_context.c,v
retrieving revision 1.7
diff -u -r1.7 init_sec_context.c
--- init_sec_context.c 2002/09/12 13:19:08 1.7
+++ init_sec_context.c 2002/11/28 07:40:45
@@ -504,7 +504,7 @@
OM_uint32 * time_rec
)
{
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
if (input_token == GSS_C_NO_BUFFER || input_token->length == 0)
return init_auth (minor_status,
Index: release_cred.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/release_cred.c,v
retrieving revision 1.3
diff -u -r1.3 release_cred.c
--- release_cred.c 2002/09/12 13:19:08 1.3
+++ release_cred.c 2002/11/28 07:40:45
@@ -45,7 +45,7 @@
return GSS_S_COMPLETE;
}
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
if ((*cred_handle)->principal != NULL)
krb5_free_principal(gssapi_krb5_context, (*cred_handle)->principal);
Index: release_name.c
===================================================================
RCS file: /cvsroot/basesrc/crypto/dist/heimdal/lib/gssapi/release_name.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 release_name.c
--- release_name.c 2002/09/12 12:41:40 1.1.1.3
+++ release_name.c 2002/11/28 07:40:45
@@ -41,7 +41,7 @@
gss_name_t * input_name
)
{
- gssapi_krb5_init ();
+ GSSAPI_KRB5_INIT_MS(minor_status);
krb5_free_principal(gssapi_krb5_context,
*input_name);
*input_name = GSS_C_NO_NAME;
>Release-Note:
>Audit-Trail:
>Unformatted: