Package: heimdal-kdc Version: 1.6~git20120403+dfsg1-2+iig3 Severity: important
-- System Information: Debian Release: 7.4 APT prefers stable APT policy: (600, 'stable'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash We use heimdal kdc to authenticate more than 30k users in multiple services. After upgrading from squeeze to wheezy the KDC process started to leak memory (~2GiB/week). We don't use the binary package of wheezy, but source package is rebuilt with a little patch enabling impersonation of other pricipals. It is belived that this should not cause the problem. We had it run under valgrind for some hours, the output is attached. Our patch in importable with quilt import also attached.
==6018== Memcheck, a memory error detector ==6018== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==6018== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==6018== Command: /usr/lib/heimdal-servers/kdc --no-detach ==6018== Parent PID: 5344 ==6018== ==6018== ==6018== HEAP SUMMARY: ==6018== in use at exit: 28,763,436 bytes in 224,712 blocks ==6018== total heap usage: 124,988,168 allocs, 124,763,456 frees, 167,086,952,375 bytes allocated ==6018== ==6018== 4 bytes in 2 blocks are indirectly lost in loss record 1 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x52BEF34: krb5_kt_ret_string (keytab_file.c:82) ==6018== by 0x52BF18D: fkt_next_entry_int.isra.4 (keytab_file.c:230) ==6018== by 0x5064D1F: hdb_read_master_key (mkey.c:128) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 8 bytes in 1 blocks are indirectly lost in loss record 2 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x4C28D6F: realloc (vg_replace_malloc.c:632) ==6018== by 0x4E3B9F5: krb5_kdc_set_dbinfo (set_dbinfo.c:45) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 8 bytes in 1 blocks are indirectly lost in loss record 3 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x52BEF34: krb5_kt_ret_string (keytab_file.c:82) ==6018== by 0x52BF094: fkt_next_entry_int.isra.4 (keytab_file.c:215) ==6018== by 0x5064D1F: hdb_read_master_key (mkey.c:128) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 16 bytes in 1 blocks are indirectly lost in loss record 4 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52BF141: fkt_next_entry_int.isra.4 (keytab_file.c:222) ==6018== by 0x5064D1F: hdb_read_master_key (mkey.c:128) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 16 bytes in 1 blocks are indirectly lost in loss record 5 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52A5F76: _key_schedule (crypto.c:149) ==6018== by 0x52A7725: krb5_decrypt_ivec (crypto.c:1030) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== by 0x4E4C024: krb5_kdc_process_request (process.c:208) ==6018== by 0x4030AE: do_request (connect.c:431) ==6018== ==6018== 16 bytes in 1 blocks are indirectly lost in loss record 6 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52A5F76: _key_schedule (crypto.c:149) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== by 0x4E4C024: krb5_kdc_process_request (process.c:208) ==6018== ==6018== 24 bytes in 1 blocks are indirectly lost in loss record 7 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52BD536: krb5_copy_keyblock (keyblock.c:137) ==6018== by 0x52A89E1: krb5_crypto_init (crypto.c:2057) ==6018== by 0x5064CFA: hdb_read_master_key (mkey.c:136) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 24 bytes in 1 blocks are indirectly lost in loss record 8 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52BD536: krb5_copy_keyblock (keyblock.c:137) ==6018== by 0x52A69C6: _get_derived_key (crypto.c:2005) ==6018== by 0x52A7704: krb5_decrypt_ivec (crypto.c:1025) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== by 0x4E4C024: krb5_kdc_process_request (process.c:208) ==6018== ==6018== 24 bytes in 1 blocks are indirectly lost in loss record 9 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52BD536: krb5_copy_keyblock (keyblock.c:137) ==6018== by 0x52A69C6: _get_derived_key (crypto.c:2005) ==6018== by 0x52A6AA7: get_checksum_key.isra.10 (crypto.c:323) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== ==6018== 29 bytes in 1 blocks are indirectly lost in loss record 10 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x685FC41: strdup (strdup.c:43) ==6018== by 0x505C70D: hdb_db_create (db3.c:368) ==6018== by 0x5060B9C: hdb_create (hdb.c:513) ==6018== by 0x4E3BA18: krb5_kdc_set_dbinfo (set_dbinfo.c:52) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 30 bytes in 1 blocks are still reachable in loss record 11 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x68CF387: __vasprintf_chk (vasprintf_chk.c:82) ==6018== by 0x68CF222: __asprintf_chk (asprintf_chk.c:34) ==6018== by 0x404BD9: configure (stdio2.h:158) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 32 bytes in 1 blocks are possibly lost in loss record 12 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x7CFFC29: heim_dict_set_value (dict.c:224) ==6018== by 0x52DB988: _krb5_load_plugins (plugin.c:447) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 32 bytes in 1 blocks are indirectly lost in loss record 13 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52BF039: fkt_next_entry_int.isra.4 (keytab_file.c:190) ==6018== by 0x5064D1F: hdb_read_master_key (mkey.c:128) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 32 bytes in 1 blocks are indirectly lost in loss record 14 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x52BF337: fkt_next_entry_int.isra.4 (keytab_file.c:61) ==6018== by 0x5064D1F: hdb_read_master_key (mkey.c:128) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 32 bytes in 1 blocks are indirectly lost in loss record 15 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x57BCA26: der_copy_octet_string (der_copy.c:152) ==6018== by 0x577B38C: copy_EncryptionKey (asn1_krb5_asn1.c:3215) ==6018== by 0x52BD54C: krb5_copy_keyblock (keyblock.c:143) ==6018== by 0x52A89E1: krb5_crypto_init (crypto.c:2057) ==6018== by 0x5064CFA: hdb_read_master_key (mkey.c:136) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 32 bytes in 1 blocks are indirectly lost in loss record 16 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x57BCA26: der_copy_octet_string (der_copy.c:152) ==6018== by 0x577B38C: copy_EncryptionKey (asn1_krb5_asn1.c:3215) ==6018== by 0x52BD54C: krb5_copy_keyblock (keyblock.c:143) ==6018== by 0x52A69C6: _get_derived_key (crypto.c:2005) ==6018== by 0x52A7704: krb5_decrypt_ivec (crypto.c:1025) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== ==6018== 32 bytes in 1 blocks are indirectly lost in loss record 17 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x57BCA26: der_copy_octet_string (der_copy.c:152) ==6018== by 0x577B38C: copy_EncryptionKey (asn1_krb5_asn1.c:3215) ==6018== by 0x52BD54C: krb5_copy_keyblock (keyblock.c:143) ==6018== by 0x52A69C6: _get_derived_key (crypto.c:2005) ==6018== by 0x52A6AA7: get_checksum_key.isra.10 (crypto.c:323) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== ==6018== 40 bytes in 1 blocks are indirectly lost in loss record 18 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x52A8987: krb5_crypto_init (crypto.c:2037) ==6018== by 0x5064CFA: hdb_read_master_key (mkey.c:136) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 48 bytes in 1 blocks are still reachable in loss record 19 of 38 ==6018== at 0x4C28CCE: realloc (vg_replace_malloc.c:632) ==6018== by 0x402D80: add_port (connect.c:74) ==6018== by 0x4031AB: add_standard_ports.isra.1 (connect.c:132) ==6018== by 0x4033E5: loop (connect.c:165) ==6018== by 0x402AD9: main (main.c:167) ==6018== ==6018== 48 bytes in 1 blocks are indirectly lost in loss record 20 of 38 ==6018== at 0x4C28CCE: realloc (vg_replace_malloc.c:632) ==6018== by 0x52A57C2: _new_derived_key.isra.8 (crypto.c:1944) ==6018== by 0x52A69AF: _get_derived_key (crypto.c:2000) ==6018== by 0x52A6AA7: get_checksum_key.isra.10 (crypto.c:323) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== ==6018== 56 bytes in 1 blocks are still reachable in loss record 21 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D003CE: autorel_tls (heimbase.c:472) ==6018== by 0x7D00927: heim_auto_release_create (heimbase.c:544) ==6018== by 0x4E4BFBA: krb5_kdc_process_request (process.c:202) ==6018== by 0x4030AE: do_request (connect.c:431) ==6018== by 0x403CC1: loop (connect.c:489) ==6018== by 0x402AD9: main (main.c:167) ==6018== ==6018== 69 bytes in 1 blocks are possibly lost in loss record 22 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D00251: _heim_alloc_object (heimbase.c:333) ==6018== by 0x7D02978: heim_string_create_with_bytes (string.c:154) ==6018== by 0x52DB766: _krb5_load_plugins (plugin.c:422) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 72 bytes in 1 blocks are indirectly lost in loss record 23 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x5064C9E: hdb_read_master_key (mkey.c:129) ==6018== by 0x5065550: hdb_set_master_keyfile (mkey.c:723) ==6018== by 0x4E3BA47: krb5_kdc_set_dbinfo (set_dbinfo.c:59) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 80 bytes in 1 blocks are possibly lost in loss record 24 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D00251: _heim_alloc_object (heimbase.c:333) ==6018== by 0x7CFFA89: heim_dict_create (dict.c:117) ==6018== by 0x52DB93D: _krb5_load_plugins (plugin.c:432) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 80 bytes in 1 blocks are possibly lost in loss record 25 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D00251: _heim_alloc_object (heimbase.c:333) ==6018== by 0x7CFFA89: heim_dict_create (dict.c:117) ==6018== by 0x52DB96E: _krb5_load_plugins (plugin.c:441) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 88 bytes in 1 blocks are possibly lost in loss record 26 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7CFFAF6: heim_dict_create (dict.c:125) ==6018== by 0x52DB93D: _krb5_load_plugins (plugin.c:432) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 88 bytes in 1 blocks are possibly lost in loss record 27 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7CFFAF6: heim_dict_create (dict.c:125) ==6018== by 0x52DB96E: _krb5_load_plugins (plugin.c:441) ==6018== by 0x7D0032F: heim_base_once_f (heimbase.c:379) ==6018== by 0x52A4D1A: krb5_init_context (context.c:423) ==6018== by 0x402957: main (main.c:115) ==6018== ==6018== 224 bytes in 1 blocks are indirectly lost in loss record 28 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x505C6EF: hdb_db_create (db3.c:361) ==6018== by 0x5060B9C: hdb_create (hdb.c:513) ==6018== by 0x4E3BA18: krb5_kdc_set_dbinfo (set_dbinfo.c:52) ==6018== by 0x4048D0: configure (config.c:208) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 244 bytes in 1 blocks are indirectly lost in loss record 29 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x551987C: hc_EVP_CipherInit_ex (evp.c:783) ==6018== by 0x52AAB6D: _krb5_evp_schedule (crypto-evp.c:47) ==6018== by 0x52A5F9E: _key_schedule (crypto.c:160) ==6018== by 0x52A7725: krb5_decrypt_ivec (crypto.c:1030) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== ==6018== 244 bytes in 1 blocks are indirectly lost in loss record 30 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x551987C: hc_EVP_CipherInit_ex (evp.c:783) ==6018== by 0x52A5F9E: _key_schedule (crypto.c:160) ==6018== by 0x52A7725: krb5_decrypt_ivec (crypto.c:1030) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== by 0x4E4C024: krb5_kdc_process_request (process.c:208) ==6018== ==6018== 244 bytes in 1 blocks are indirectly lost in loss record 31 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x551987C: hc_EVP_CipherInit_ex (evp.c:783) ==6018== by 0x52AAB6D: _krb5_evp_schedule (crypto-evp.c:47) ==6018== by 0x52A5F9E: _key_schedule (crypto.c:160) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== ==6018== 244 bytes in 1 blocks are indirectly lost in loss record 32 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x551987C: hc_EVP_CipherInit_ex (evp.c:783) ==6018== by 0x52A5F9E: _key_schedule (crypto.c:160) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== ==6018== 336 bytes in 1 blocks are indirectly lost in loss record 33 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x52ABC52: krb5_data_alloc (data.c:102) ==6018== by 0x52A5F8A: _key_schedule (crypto.c:154) ==6018== by 0x52A7725: krb5_decrypt_ivec (crypto.c:1030) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== by 0x4E4C024: krb5_kdc_process_request (process.c:208) ==6018== ==6018== 336 bytes in 1 blocks are indirectly lost in loss record 34 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x52ABC52: krb5_data_alloc (data.c:102) ==6018== by 0x52A5F8A: _key_schedule (crypto.c:154) ==6018== by 0x52A6C97: verify_checksum (crypto.c:479) ==6018== by 0x52A77AD: krb5_decrypt_ivec (crypto.c:1045) ==6018== by 0x52A7A20: krb5_decrypt (crypto.c:1829) ==6018== by 0x5064ED9: hdb_unseal_key_mkey (mkey.c:424) ==6018== by 0x5065014: hdb_unseal_keys_mkey (mkey.c:467) ==6018== by 0x505B6FF: _hdb_fetch_kvno (common.c:174) ==6018== by 0x4E4AC01: _kdc_db_fetch (misc.c:94) ==6018== by 0x4E41B1B: _kdc_as_rep (kerberos5.c:1660) ==6018== by 0x4E4BF03: kdc_as_req (process.c:77) ==6018== ==6018== 2,048 bytes in 2 blocks are definitely lost in loss record 35 of 38 ==6018== at 0x4C28BED: malloc (vg_replace_malloc.c:263) ==6018== by 0x4C28D6F: realloc (vg_replace_malloc.c:632) ==6018== by 0x404011: loop (connect.c:586) ==6018== by 0x402AD9: main (main.c:167) ==6018== ==6018== 2,545 (184 direct, 2,361 indirect) bytes in 1 blocks are definitely lost in loss record 36 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x4E3B31E: krb5_kdc_get_config (default_config.c:45) ==6018== by 0x4048A9: configure (config.c:202) ==6018== by 0x402995: main (main.c:125) ==6018== ==6018== 204,416 bytes in 1,597 blocks are possibly lost in loss record 37 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D00251: _heim_alloc_object (heimbase.c:333) ==6018== by 0x7D00940: heim_auto_release_create (heimbase.c:550) ==6018== by 0x4E4BFBA: krb5_kdc_process_request (process.c:202) ==6018== by 0x4030AE: do_request (connect.c:431) ==6018== by 0x4044C1: loop (connect.c:821) ==6018== by 0x402AD9: main (main.c:167) ==6018== ==6018== 28,553,856 bytes in 223,077 blocks are possibly lost in loss record 38 of 38 ==6018== at 0x4C272B8: calloc (vg_replace_malloc.c:566) ==6018== by 0x7D00251: _heim_alloc_object (heimbase.c:333) ==6018== by 0x7D00940: heim_auto_release_create (heimbase.c:550) ==6018== by 0x4E4BFBA: krb5_kdc_process_request (process.c:202) ==6018== by 0x4030AE: do_request (connect.c:431) ==6018== by 0x403CC1: loop (connect.c:489) ==6018== by 0x402AD9: main (main.c:167) ==6018== ==6018== LEAK SUMMARY: ==6018== definitely lost: 2,232 bytes in 3 blocks ==6018== indirectly lost: 2,361 bytes in 26 blocks ==6018== possibly lost: 28,758,709 bytes in 224,680 blocks ==6018== still reachable: 134 bytes in 3 blocks ==6018== suppressed: 0 bytes in 0 blocks ==6018== ==6018== For counts of detected and suppressed errors, rerun with: -v ==6018== ERROR SUMMARY: 10 errors from 10 contexts (suppressed: 14 from 6)
Description: enable s4u in heimdal TODO: Put a short summary on the line above and replace this paragraph with a longer explanation of this change. Complete the meta-information with other relevant fields (see below for details). To make it easier, the information below has been extracted from the changelog. Adjust it or drop it. --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: <vendor|upstream|other>, <url of original patch> Bug: <url in upstream bugtracker> Bug-Debian: http://bugs.debian.org/<bugnumber> Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber> Forwarded: <no|not-needed|url proving that it has been forwarded> Reviewed-By: <name and email of someone who approved the patch> Last-Update: <YYYY-MM-DD> --- heimdal-1.6~git20120403+dfsg1.orig/kdc/krb5tgs.c +++ heimdal-1.6~git20120403+dfsg1/kdc/krb5tgs.c @@ -1494,6 +1494,55 @@ eout: return ENOMEM; } + +/* +DAVIDT's patch +cpn is the service, selfcpn is the user it is trying to impersonate*/ +static int _krb5_s4uself_is_allowed(krb5_context context, krb5_kdc_configuration * config, const char * cpn, const char * selfcpn) +{ + char** allowed_principals = NULL; + + if((cpn == NULL) || (selfcpn == NULL)) + { + return (0); + } + else + { + char ** citem; + int matches = 0; + size_t s_len = strlen(selfcpn); + allowed_principals = krb5_config_get_strings(context, NULL, "kdc", "s4uself_allow", cpn, NULL); + if (!allowed_principals) + return (0); + citem = allowed_principals; + + while (*citem) + { + char * princ = *citem; + size_t p_len = strlen(princ); + if( !(p_len>s_len) ) /*p is the length of princ*/ + { + if(strncmp(princ, selfcpn+s_len-p_len, p_len)==0) + { + + kdc_log(context, config, 0, + "Selfcheck matches on %s selfcpn=%s", + selfcpn, princ); + krb5_config_free_strings(allowed_principals); + return (1); + } + } + + + citem++; + } + krb5_config_free_strings(allowed_principals); + } + return (0); + +} + + static krb5_error_code tgs_build_reply(krb5_context context, krb5_kdc_configuration *config, @@ -2057,9 +2106,24 @@ server_lookup: * delegation, remove the forward flag. */ - if (client->entry.flags.trusted_for_delegation) { - str = "[forwardable]"; - } else { + if (client->entry.flags.trusted_for_delegation ) { + if(_krb5_s4uself_is_allowed(context, config, cpn, tpn)){ + str = "[forwardable]"; + } + else{ + /*by davidt: check if cpn can impersonate selfcpn (rules in config file)*/ + kdc_log(context, config, 0, + "s4u2self_is_allowed: impersonating %s is not allowed.", + tpn); + + /*then set forwardable to 0*/ + b->kdc_options.forwardable = 0; + ret = KRB5KDC_ERR_BADOPTION; + goto out; // Do nothing! + str = ""; + } + } + else { b->kdc_options.forwardable = 0; str = ""; }
