Skip Menu |
 

History Show all quoted textShow full headers
# Thu Mar 13 15:56:44 2014 ghudson@mit.edu (Greg Hudson) - Ticket created
Subject: Interleaved init_creds operations use same per-request preauth context
Download (untitled) / with headers
text/plain 723B
In preauth2.c, krb5_preauth_context_st mixes context-global preauth data
with per-request data. The "tried" field of krb5_preauth_context_st and
the "req" field of clpreauth_handle are per-request, while the "vt" and
"data" fields of clpreauth_handle are context-global.

Alll of this information is managed out of krb5_context, not
krb5_init_creds_context. So if a caller interleaves
krb5_init_creds_init/krb5_init_creds_step for different
krb5_init_creds_context objects with the same krb5_context object, both
operations will use the same per-request preauth data, likely causing one
or both operations to fail.

The per-request information should be separated out and managed out of
krb5_init_creds_context.
# Tue Dec 08 14:12:41 2015 sarahday (Sarah Day) - Taken
# Mon Jan 09 11:44:05 2017 ghudson@mit.edu (Greg Hudson) - Stolen from sarahday (Sarah Day)
# Thu Jan 26 18:34:11 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'
# Thu Jan 26 18:34:11 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 886B

Properly scope per-request preauth data

It should be possible to successfully use multiple initial credentials
contexts with the same library context. Create a new internal type
krb5_preauth_req_context containing per-request preauth state,
including the clpreauth modreq handles and the list of preauth types
already tried. Remove this state from clpreauth_handle and
krb5_preauth_context.

https://github.com/krb5/krb5/commit/b061f419cfc9653b7549b905e54fbbd78deea49e
Author: Greg Hudson <ghudson@mit.edu>
Commit: b061f419cfc9653b7549b905e54fbbd78deea49e
Branch: master
src/include/k5-trace.h | 3 +
src/lib/krb5/krb/get_in_tkt.c | 12 +-
src/lib/krb5/krb/init_creds_ctx.h | 3 +
src/lib/krb5/krb/int-proto.h | 8 +-
src/lib/krb5/krb/preauth2.c | 190 +++++++++++++++++++++++--------------
5 files changed, 135 insertions(+), 81 deletions(-)
# Thu Jan 26 18:34:13 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 725B

Add tests for per-request preauth data scoping

Add a test harness which interleaves calls for multiple initial creds
contexts using the same library context. Add a test case to
t_preauth.py using the new harness and the test preauth module to
verify that modreq pointers are correctly tracked.

https://github.com/krb5/krb5/commit/c0b25fe282355d4f329418956b9c6295780af633
Author: Greg Hudson <ghudson@mit.edu>
Commit: c0b25fe282355d4f329418956b9c6295780af633
Branch: master
.gitignore | 1 +
src/tests/Makefile.in | 23 +++++---
src/tests/icinterleave.c | 124 ++++++++++++++++++++++++++++++++++++++++++++++
src/tests/t_preauth.py | 13 +++++
4 files changed, 152 insertions(+), 9 deletions(-)
# Thu Jan 26 18:34:14 2017 ghudson@mit.edu (Greg Hudson) - Correspondence added
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 763B

Document and check init_creds context requirement

To ensure that the same clpreauth plugin modules and moddata pointers
are used for each step of an initial creds operation, the caller must
use the same library context for krb5_init_creds_init(),
krb5_init_creds_step(), and krb5_init_creds_free(). Document and
enforce this requirement.

https://github.com/krb5/krb5/commit/c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0
Author: Greg Hudson <ghudson@mit.edu>
Commit: c4beb35c9ac0711ef650abc4f1e44a4c82d5f3d0
Branch: master
src/include/krb5/krb5.hin | 13 +++++++++++++
src/lib/krb5/krb/get_in_tkt.c | 6 +++++-
src/lib/krb5/krb/int-proto.h | 3 +++
src/lib/krb5/krb/preauth2.c | 13 +++++++++++++
4 files changed, 34 insertions(+), 1 deletions(-)
# Sun Sep 24 20:39:59 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'resolved'
# Wed Oct 04 10:52:57 2017 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.16 added